cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1374
Views
0
Helpful
9
Replies

ASA 5510 ACL Return Packet

gaigl
Level 3
Level 3

Hi,

I've got a Problem with the ACL's on a ASA 5510 Cluster:

the connected Client cannot resolve DNS; the Log says:

%ASA-session-5-106100: access-list ACL-INSIDE denied udp inside/172.27.xxx.1(53) -> outside/192.168.xxx.8(59893) hit-cnt 1 first hit [0x932a8f72, 0x0]

(this must be the Return-Paket of the DNS-Query)

where 172.27.xxx.1 is the DNS-Server in the Inside-Network, and 192.168.xxx.8 is the virtual address.

I've got an Access-List which permits the virtual address "ip" to the DNS-Server.

The same Configuration on the Test-Machine (no Cluster) works!

(It's a active/standby single Context failover Config)

Could the Problem be caused by the Cluster?

Thank you

Karl

9 Replies 9

Haitham Jaradat
Cisco Employee
Cisco Employee

Can you send over the configuration you have on your ASA, also a topology would be helpfull.

Hi,

how can I send you a pdf and a .txt?

The Config ist too big to edit all addresses and so

Thank you

Karl

you cann attach them to this thread if you dont mind

No, this files are not for public and anyway, I only could attach Photos

tell you something can you send me the output of:

show access-list ACL-INSIDE

and show run access-group

rou-ara27-rz-12/act/pri# sh run access-group

access-group ACL-INSIDE in interface inside

access-group inside_access_out out interface inside

access-group ACL-OUTSIDE in interface outside

rou-ara27-rz-12/act/pri# show access-

rou-ara27-rz-12/act/pri# show access-list ACL-INSIDE

access-list ACL-INSIDE; 11 elements; name hash: 0xfb5f17a8

access-list ACL-INSIDE line 1 extended permit icmp any any object-group ICMP-HARMLOS (hitcnt=0) 0x1a753992

  access-list ACL-INSIDE line 1 extended permit icmp any any echo (hitcnt=0) 0xc4ed471c

  access-list ACL-INSIDE line 1 extended permit icmp any any echo-reply (hitcnt=0) 0xd14f0043

  access-list ACL-INSIDE line 1 extended permit icmp any any unreachable (hitcnt=0) 0x92b03f68

  access-list ACL-INSIDE line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xaa821c16

access-list ACL-INSIDE line 2 extended permit ip object VPN-NET object-group DM_INLINE_NETWORK_3 log debugging interval 300 0x658c9759

  access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 172.27.0.0 255.255.0.0 log debugging interval 300 (hitcnt=0) 0xc31eaf76

  access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ1$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x34d68ea6

  access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ2$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x7df14a53

  access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x1aa12e0c

access-list ACL-INSIDE line 3 extended permit esp object VPN-NET object DMZ_III log debugging interval 300 (hitcnt=0) 0x2d7346ad

  access-list ACL-INSIDE line 3 extended permit esp 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x2d7346ad

access-list ACL-INSIDE line 4 extended deny icmp any any log informational interval 300 (hitcnt=0) 0x2bcd80f1

access-list ACL-INSIDE line 5 remark CleanUp Rule with raised log level

access-list ACL-INSIDE line 6 extended deny ip any any log notifications interval 300 (hitcnt=0) 0x932a8f72

rou-ara27-rz-12/act/pri#

something is worng here, all the hit counts on all ACL entries is "zero" did you reset the counters?

Let me make sure I understand this correctly:

you have clients on outisde 192.168.xxx.8, they are trying to access a DNS server on inside 172.27.xxx.1, and you are getting the above mentioned log message is that correct?

are those Clients VPN clients? or comming through L2L VPN? can you also provide the output of show access-list

inside_access_out

the clients have the Tunnel-adresses 192.168.xxx.5-250, correct

DNS-Server on Inside 172.27... correct

Log-message... correct

the Clients are AnyConnect 3.0 Clients with SSL-VPN (DTLS)

access-list inside_access_out line 1 extended permit ip object VPN-NET object-group DM_INLINE_NETWORK_6 0x0abda03e

  access-list inside_access_out line 1 extended permit ip 192.168.xxx.0 255.255.255.0 172.27.0.0 255.255.0.0 (hitcnt=131) 0x801ca0fd

  access-list inside_access_out line 1 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ1$ 255.255.255.0 (hitcnt=0) 0x5e27403e

  access-list inside_access_out line 1 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ2$ 255.255.255.0 (hitcnt=0) 0x572f616b

  access-list inside_access_out line 1 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 (hitcnt=0) 0xd1c9abf5

access-list inside_access_out line 2 extended permit esp object VPN-NET object DMZ_III (hitcnt=0) 0xea19901f

  access-list inside_access_out line 2 extended permit esp 192.168.xxx.0 255.255.255.0 $DMZ1$ 255.255.255.0 (hitcnt=0) 0xea19901f

access-list inside_access_out line 3 extended permit udp interface inside object ACS-Server eq 1812 log informational interval 300 0xa5a4c349

  access-list inside_access_out line 3 extended permit udp interface inside range 192.168.x.x 192.168.x.x eq 1812 log informational interval 300 (hitcnt=0) 0xa5a4c349

rou-ara27-rz-12/act/pri#

you can see in the relevant Line a hit-count of 131

can you perfomr the following:

cap cap in inside match udp eq 53

attempt to connect to the DNS server from the client, then send me the output of show cap cap detail.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: