ā05-14-2014 02:44 AM
Hello,
I have a bit of a situation here, my packets from the DMZ to the outside interface are being rejected to the Outside by the DMZ interface implicit deny rule. Even when I add an extended implicit allow any any rule to that interface the traffic is still blocked by the implicit deny rule. Traffic flow from the inside to the outside is ok. Below is part of the running config I have, is there anything I am missing?
Access-Lists
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit ip any 192.168.4.0 255.255.255.0
access-group dmz_access_in in interface dmz
PAT
global (outside) 101 interface
nat (inside) 0 access-list outside_1_cryptomap
nat (inside) 101 Server1 255.255.255.255
nat (inside) 101 Server2 255.255.255.255
nat (inside) 101 Server3 255.255.255.255
nat (dmz) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 MY_ISP_PUB_IP DEFAULT GW 1
: end
ā05-14-2014 03:08 AM
Hi ,
What is the security level configured for your DMZ and outside interface , If both security level are same they you need to have
same-security-traffic permit inter-interface
Run packet-tracer command for trouble shooting
packet-tracer input dmz protocol x.x.x.x 8080 4.2.2.2 80 [detailed] [xml]
HTH
Sandy
ā05-15-2014 01:25 AM
The DMZ is on security level 50, I have however tried to put it on the same security level after the same-security-traffic permit inter-interface command as the outside interface but no luck. Below is my packet tracer output.
<Phase>
<id>1</id>
<type>ROUTE-LOOKUP</type>
<subtype>input</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
in 0.0.0.0 0.0.0.0 outside
</extra>
</Phase>
<Phase>
<id>2</id>
<type>ACCESS-LIST</type>
<subtype></subtype>
<result>DROP</result>
<config>
Implicit Rule
</config>
<extra>
</extra>
</Phase>
<result>
<input-interface>dmz</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>outside</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason>
</result>
ā05-15-2014 01:30 AM
Hi ,
Kindly share me your system config . Let me check for any configuration errors
HTH
Sandy
ā05-15-2014 08:18 AM
The 192.168.4.0 network is the one not accessing the internet.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
names
name 192.168.94.24 ABCtest_Server description NHL test server
name 192.168.94.0 ABCNETWORK description NHL INTERNAL NW
name 192.168.180.2 ABCLinux description ABCRouter
name 10.XXXXXXXXXX SW description SW
name 196.XXXXXXXXXX AT description AT
name 196.XXXXXXXXXX AD description AD
name 192.168.180.4 WXZ description WXZ
name 10.XXXXXXXXXX QW description AIRTIME_RW_MTN
name 44.XXXXXXXXXX ABCPublic_Address description NHL Public Address
name 192.168.5.0 GY description GYNetwork
name 192.168.180.5 GY_Connection description GY_Connection
name 192.168.4.1 Wifi_Connection description Wifi_Connection
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 245
!
interface Ethernet0/4
switchport trunk allowed vlan 245
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 20
!
interface Ethernet0/6
speed 94
duplex full
!
interface Ethernet0/7
speed 94
duplex full
!
interface Vlan1
nameif inside
security-level 94
ip address 192.168.180.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 41.XXXXXXXXXXXXXXXXXXXXXXXX 255.255.255.252
!
interface Vlan4
nameif dmz
security-level 0
ip address Wifi_Connection 255.255.255.0
!
ftp mode passive
clock timezone EAT 3
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 41.XXXXXXXXXXXX
name-server 41.XXXXXXXXXXXX
name-server 41.XXXXXXXXXXXX
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network ABCRouter
object-group service ABCEmail
description ABCEmail
service-object tcp eq smtp
object-group service ABCl_Server
description ABCl_Server
service-object tcp eq https
object-group service SSH_ACCESS
service-object tcp eq 22
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object icmp traceroute
service-object tcp-udp eq www
object-group service Access
description Access From Outside
service-object tcp eq 8080
object-group service QQTVirtualhost
service-object tcp eq 8089
service-object tcp eq 9400
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq www
service-object icmp
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp
service-object udp
service-object tcp-udp eq www
service-object tcp eq www
service-object tcp eq https
object-group network GY
network-object GY255.255.255.0
access-list outside_1_cryptomap extended permit ip host WXZ host QW
access-list outside_1_cryptomap extended permit ip host QWhost WXZ
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit ip any interface outside log alerts
access-list outside_access_in extended permit tcp any interface outside eq 22
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq 8089
access-list outside_access_in extended permit tcp any interface outside eq 9400
access-list outside_access_in extended permit ip host WXZ any
access-list outside_access_in extended permit tcp any interface outside eq 2202
access-list outside_access_in extended permit object-group TCPUDP any host WXZ eq sip
access-list outside_access_in extended permit tcp any interface outside eq 3306
access-list outside_access_in extended permit tcp any interface outside eq 8090
access-list outside_access_in extended permit ip host GY_Connection any
access-list outside_2_cryptomap extended permit ip host WXZ host AT
access-list outside_2_cryptomap extended permit ip host AT host WXZ
access-list GY_access_in extended permit ip GY255.255.255.0 any
access-list GY_access_in extended permit icmp GY255.255.255.0 any
pager lines 24
logging enable
logging asdm errors
mtu inside 50
mtu outside 50
mtu dmz 50
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list outside_1_cryptomap
nat (inside) 101 ABCLinux 255.255.255.255
nat (inside) 101 WXZ 255.255.255.255
nat (inside) 101 GY_Connection 255.255.255.255
nat (inside) 101 192.168.4.0 255.255.255.0
static (inside,outside) tcp interface smtp ABCLinux smtp netmask 255.255.255.255
static (inside,outside) tcp interface https ABCLinux https netmask 255.255.255.255
static (inside,outside) tcp interface www ABCLinux www netmask 255.255.255.255
static (inside,outside) tcp interface telnet ABCLinux telnet netmask 255.255.255.255
static (inside,outside) tcp interface 2222 ABCLinux 2222 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 ABCLinux 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 8089 WXZ 8089 netmask 255.255.255.255
static (inside,outside) tcp interface 9400 ABCLinux 9400 netmask 255.255.255.255
static (inside,outside) tcp interface 2202 WXZ ssh netmask 255.255.255.255
static (inside,outside) tcp interface sip WXZ sip netmask 255.255.255.255
static (inside,outside) tcp interface 3306 WXZ 3306 netmask 255.255.255.255
static (inside,outside) tcp interface 8090 WXZ www netmask 255.255.255.255
static (inside,outside) udp interface sip WXZ sip netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 41.XXXXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 4430
http 50.XXXXXXXXXXXX 255.255.255.255 outside
http 192.168.180.0 255.255.255.0 inside
http 41.XXXXXXXXXXXX outside
http 41.XXXXXXXXXXXX outside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 200
telnet 192.168.180.0 255.255.255.0 inside
telnet ABCNETWORK 255.255.255.0 inside
telnet timeout 5
ssh 192.168.180.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 41.XXXXXXXXXXXX 41.XXXXXXXXXXXX interface inside
!
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-filter value outside_1_cryptomap
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-filter value outside_2_cryptomap
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username helpdesk password encrypted privilege 15
tunnel-group 41.XXXXXXXXXXXX type ipsec-l2l
tunnel-group 41.XXXXXXXXXXXX ipsec-attributes
pre-shared-key
tunnel-group 196.XXXXXXXXXX type ipsec-l2l
tunnel-group 196.XXXXXXXXXX general-attributes
default-group-policy GroupPolicy2
tunnel-group 196.XXXXXXXXXX ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:wvf048c8f486c1661168cf8fcf87d5cf
: end
ā05-15-2014 08:18 AM
Hi ,
I do see this configuration is missing on your output above , either keep any any acl rule or only access from 192.168.4.0/24 to any (better to keep 192.168.4.0 to any)
access-list dmz_access_in extended permit ip any anyaccess-list dmz_access_in extended permit ip any 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip 192.168.4.0 255.255.255.0 any
access-group dmz_access_in in interface dmz
Kindly check and let me know
HTH
Sandy
ā05-16-2014 01:18 AM
Hi,
I had only those ACEs during testing but I have put back but the result is the same. The packets are being dropped.
access-list dmz_access_in extended permit ip any any
access-group dmz_access_in in interface dmz
ā05-16-2014 02:41 AM
Hi ,
Change Security level to 90 from 0 . Apply this ACL , bound it to the interface . Let me know if any issue forseen.
HTH
Sandy
ā05-17-2014 01:25 AM
I have changed the security level to 90 but no luck. The packet are still being dropped packet-tracer input dmz tcp 192.168.4.1 555 8.8.8.8 www detailed
But strangely packet-tracer input inside tcp 192.168.4.1 555 8.8.8.8 www detailed the packet is allowed. I already bounded the access-list dmz_access_in extended permit ip any any to the DMZ interface.
ā05-17-2014 05:33 AM
Hi
Here is the catch , missed out in my earlier investigation Thanks
nat (inside) 101 192.168.4.0 255.255.255.0
Change it dmz
nat (dmz) 101 192.168.4.0 255.255.255.0
Ensure ACL is configured and bounded to interface .
HTH
Sandy
ā05-20-2014 07:57 AM
Hi,
No luck either I had that line originally, I have put out no nat (inside) 101 192.168.4.0 255.255.255.0 and replaced it with nat (dmz) 101 192.168.4.0 255.255.255.0. Below is my packet trace result
Result of the command: "packet-tracer input dmz tcp 192.168.4.1 3883 8.8.8.8 www"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
When I check the logs, here is the message I get, does this mean anything?
2 | May 20 2014 | 17:21:18 | Deny IP spoof from (Wireless_Connection) to 8.8.8.8 on interface dmz |
ā05-20-2014 08:14 AM
Further on the explanation says a packet arrived at the adaptive security appliance device interface that has a destination IP address of 0. This explanation is on the line in the logs. What could this mean?
ā05-20-2014 08:43 AM
Hi ,
Configure this command , it should work after that
ip verify reverse-path interface dmz
HTH
Sandy
ā05-20-2014 09:06 AM
No luck either
Result of the command: "packet-tracer input dmz tcp 192.168.4.1 2829 8.8.8.8 www"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in Wireless_Connection 255.255.255.255 identity
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
ā05-21-2014 06:25 AM
Hi ,
Share me following output from your device
show running-config | in access-group
show xlate
show nat
show route
show runn | in ip verify
It should work if everything correctly .
HTH
Sandy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: