Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Access-List Denies TCP Response (established) traffic even though XLATE exists

Good Evening,

Recently, I'm having difficulty with my home office connectivity.  I have a 5510 ASA configured for dynamic PAT using the outside interface.  The setup is pretty basic, but I've noticed that HTTP/HTTPS traffic is getting denied coming back into the network even though an XLATE exists:

Mar 11 2014 23:32:16: %ASA-6-106100: access-list internet_in denied tcp outside/205.178.146.249(110) -> inside/192.168.1.135(50727) hit-cnt 1 first hit [0x72adbc92, 0x0]
fis-inet-fw01# show xlate | inc 50727
TCP PAT from inside:192.168.1.135/50727 to outside:50.165.144.4/50727 flags ri idle 0:00:15 timeout 0:05:00
fis-inet-fw01#

If I'm reading this correctly, the "return" traffic is being denied by ACL, but a valid XLATE exists which should permit the traffic.  I'm sure I've missed something simple, but I'm having trouble finding it.

Full config below:

*****# show run
: Saved
:
ASA Version 9.1(3)
!
hostname *****
domain-name *****
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***** encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.252
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa913-k8.bin
boot system disk0:/asa912-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name *****
object network *****
 host 192.168.1.77
access-list inside_in extended permit tcp 192.168.1.0 255.255.255.0 any4
access-list inside_in extended permit ip 192.168.1.0 255.255.255.0 any4
access-list inside_in extended permit icmp any any
access-list internet_in extended permit tcp any object ***** eq 32400
access-list internet_in extended permit icmp any any
access-list internet_in extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging buffer-size 12000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.1.0 255.255.255.0 inside
icmp permit 192.168.10.0 255.255.255.252 inside
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network *****
 nat (inside,outside) static interface service tcp 32400 32400
!
nat (inside,outside) after-auto source dynamic any interface
access-group internet_in in interface outside
access-group inside_in in interface inside
route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:30:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username ***** password ***** encrypted privilege 15
username ***** password ***** encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:*****
: end
*****#

 

2 REPLIES
VIP Purple

At least you are looking at

At least you are looking at the wrong log-entries. You are talking about HTTP/HTTPS, but the dropped-packet-log ist for POP3. So perhaps the problem is somewhere else.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Karsten, Thanks for the reply

Karsten,

 

Thanks for the reply.  I actually see denied packets for HTTP (80), HTTPS (443), POP3 (110), DNS (UDP53), SMTP (2525), RDP (3389), and other protocols.  In each case, if I do a "show xlate" command, I find a PAT xlate in the xlate table that should allow return traffic to come through.

It seems as if the ACL is not respecting the existing XLATE when determining whether or not to allow return traffic.

458
Views
0
Helpful
2
Replies
CreatePlease to create content