Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Access-List Denies TCP Response (established) traffic even though XLATE exists

Good Evening,

Recently, I'm having difficulty with my home office connectivity.  I have a 5510 ASA configured for dynamic PAT using the outside interface.  The setup is pretty basic, but I've noticed that HTTP/HTTPS traffic is getting denied coming back into the network even though an XLATE exists:

Mar 11 2014 23:32:16: %ASA-6-106100: access-list internet_in denied tcp outside/ -> inside/ hit-cnt 1 first hit [0x72adbc92, 0x0]
fis-inet-fw01# show xlate | inc 50727
TCP PAT from inside: to outside: flags ri idle 0:00:15 timeout 0:05:00

If I'm reading this correctly, the "return" traffic is being denied by ACL, but a valid XLATE exists which should permit the traffic.  I'm sure I've missed something simple, but I'm having trouble finding it.

Full config below:

*****# show run
: Saved
ASA Version 9.1(3)
hostname *****
domain-name *****
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***** encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
boot system disk0:/asa913-k8.bin
boot system disk0:/asa912-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name *****
object network *****
access-list inside_in extended permit tcp any4
access-list inside_in extended permit ip any4
access-list inside_in extended permit icmp any any
access-list internet_in extended permit tcp any object ***** eq 32400
access-list internet_in extended permit icmp any any
access-list internet_in extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging buffer-size 12000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit inside
icmp permit inside
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network *****
 nat (inside,outside) static interface service tcp 32400 32400
nat (inside,outside) after-auto source dynamic any interface
access-group internet_in in interface outside
access-group inside_in in interface inside
route inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:30:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username ***** password ***** encrypted privilege 15
username ***** password ***** encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class class-default
  user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end


VIP Purple

At least you are looking at

At least you are looking at the wrong log-entries. You are talking about HTTP/HTTPS, but the dropped-packet-log ist for POP3. So perhaps the problem is somewhere else.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
New Member

Karsten, Thanks for the reply



Thanks for the reply.  I actually see denied packets for HTTP (80), HTTPS (443), POP3 (110), DNS (UDP53), SMTP (2525), RDP (3389), and other protocols.  In each case, if I do a "show xlate" command, I find a PAT xlate in the xlate table that should allow return traffic to come through.

It seems as if the ACL is not respecting the existing XLATE when determining whether or not to allow return traffic.

CreatePlease to create content