Cisco ASA 5510 – Implicit Deny Dropping Traffic Despite Permit Any ACL

access-controlcisco-asanetwork access

I'm trying to allow VPN access through a specific public IP address on our company ASA. The ASA is currently configured with a /29 public IP address as follows:

Interface Ethernet0/0 "outside"
IP address xx.xx.xx.218, subnet mask 255.255.255.248

The https port on .218 is used for a web server inside the network, so I would like to use .219 for the web VPN instead.

However, packet tracer reports that it is dropping https packets to .219 based on the implicit deny rule for the outside interface.

I put in a temporary ACL to allow all traffic from my home IP address:

access-list outside_in line 1 extended permit ip host xx.xx.108.109 host xx.xx.xx.219 any

Re-running the packet tracer command shows that https traffic from xx.xx.108.109 is still being dropped by the implicit deny.

#packet-tracer input outside tcp xx.xx.108.109 https xx.xx.xx.219 https detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   xx.xx.xx.216   255.255.255.248 outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab839048, priority=111, domain=permit, deny=true
        hits=39497, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Any insight into this problem would be great. I don't understand why it is blocking any traffic from xx.xx.108.109, as it should be passed by the first ACL on that interface. Am I missing something?

Sanitized ASA running-config:

: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 8.2(5)59
!
hostname ***
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xx.xx.xx.218 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.100.0.2 255.255.255.0
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif guest-access
 security-level 10
 ip address 192.168.169.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 security-level 20
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ***.local
object-group network blocked-nets
 network-object ChinaBlock-211.95.0.0 255.255.0.0
 network-object ChinaBlock-211.94.0.0 255.255.0.0
 network-object ChinaBlock-211.93.0.0 255.255.0.0
 network-object ChinaBlock-211.92.0.0 255.255.0.0
 network-object ChinaBlock-211.97.0.0 255.255.0.0
 network-object ChinaBlock-211.91.0.0 255.255.0.0
 network-object ChinaBlock-211.96.0.0 255.255.0.0
 network-object ChinaBlock-211.90.0.0 255.255.0.0
 network-object SwedenBlock-212.214.70.0 255.255.255.0
 network-object 189.0.0.0 255.0.0.0
 network-object 221.0.0.0 255.0.0.0
 network-object 59.0.0.0 255.0.0.0
 network-object 124.0.0.0 255.0.0.0
 network-object 58.0.0.0 255.0.0.0
 network-object 219.0.0.0 255.0.0.0
 network-object 203.0.0.0 255.0.0.0
 network-object 202.0.0.0 255.0.0.0
 network-object 220.0.0.0 255.0.0.0
 network-object 211.0.0.0 255.0.0.0
 network-object 213.0.0.0 255.0.0.0
 network-object 212.0.0.0 255.0.0.0
 network-object 222.0.0.0 255.0.0.0
 network-object 200.0.0.0 255.0.0.0
 network-object 201.0.0.0 255.0.0.0
 network-object 195.0.0.0 255.0.0.0
 network-object 194.0.0.0 255.0.0.0
 network-object 193.0.0.0 255.0.0.0
 network-object 190.0.0.0 255.0.0.0
 network-object 62.0.0.0 255.0.0.0
 network-object 61.0.0.0 255.0.0.0
 network-object 60.0.0.0 255.0.0.0
 network-object 89.0.0.0 255.0.0.0
 network-object 88.0.0.0 255.0.0.0
 network-object 87.0.0.0 255.0.0.0
 network-object 86.0.0.0 255.0.0.0
 network-object 85.0.0.0 255.0.0.0
 network-object 84.0.0.0 255.0.0.0
 network-object 83.0.0.0 255.0.0.0
 network-object 82.0.0.0 255.0.0.0
 network-object 81.0.0.0 255.0.0.0
 network-object 80.0.0.0 255.0.0.0
access-list inside_out extended permit tcp host 10.1.1.32 host 192.168.49.17 eq 3389
access-list inside_out extended permit icmp any any
access-list inside_out extended deny ip any 192.168.49.0 255.255.255.0
access-list inside_out extended permit tcp any any eq www
access-list inside_out extended permit tcp any any eq https
access-list inside_out extended permit tcp any any eq ftp
access-list inside_out extended permit tcp any any eq pop3
access-list inside_out extended permit tcp any any eq smtp
access-list inside_out extended permit udp any any eq domain
access-list inside_out extended permit udp any any eq ntp
access-list inside_out extended permit tcp any any eq 3389
access-list inside_out extended permit tcp any any eq 465
access-list inside_out extended permit tcp any any eq 995
access-list inside_out extended permit tcp any any eq 993
access-list inside_out extended permit tcp host 10.1.1.15 any eq www
access-list inside_out extended permit udp host 10.1.1.15 any eq domain
access-list inside_out extended permit ip 10.1.1.0 255.255.255.0 client_vpn-10.1.50.0 255.255.255.0
access-list inside_out extended permit udp host 10.1.1.2 any eq time
access-list inside_out extended permit tcp any any eq 3334
access-list inside_out extended permit udp any any eq 3334
access-list inside_out extended permit tcp host 10.1.1.12 any eq 2847
access-list inside_out extended permit tcp host 10.1.1.14 any eq ssh
access-list inside_out extended permit tcp host 10.1.1.14 any eq telnet
access-list inside_out extended permit tcp host 10.1.1.14 any eq smtp
access-list inside_out extended permit tcp host 10.1.1.25 any eq 3389
access-list inside_out extended permit udp host 10.1.1.14 any eq snmp
access-list inside_out extended permit udp any any eq isakmp
access-list inside_out extended permit udp any any eq 4500
access-list inside_out extended permit udp host 10.1.1.11 any eq ntp
access-list inside_out extended permit udp host 10.1.1.11 any eq domain
access-list inside_out extended permit tcp any any eq 81
access-list inside_out extended deny udp host 10.1.1.11 any eq snmp log disable
access-list inside_out extended permit tcp any any eq 3390
access-list inside_out extended permit tcp any any eq 23111
access-list inside_out extended permit ip any 10.1.6.0 255.255.255.0
access-list inside_out extended permit ip host 10.100.3.10 any
access-list inside_out extended permit tcp any any eq 8443
access-list inside_out extended permit tcp any any eq 23038
access-list inside_out extended permit tcp any any eq 9506
access-list inside_out extended permit tcp any any eq 9516
access-list inside_out extended permit tcp any any range 42001 42004
access-list inside_out extended permit tcp any any eq 9965
access-list inside_out extended permit tcp any any eq citrix-ica
access-list inside_out extended permit ip any 10.1.7.0 255.255.255.0
access-list inside_out extended permit ip any 192.168.30.0 255.255.255.0
access-list inside_out extended permit ip any 192.168.20.0 255.255.255.0
access-list inside_out extended permit tcp any any eq 9922
access-list inside_out extended permit tcp any any eq 2021
access-list inside_out extended permit tcp any any eq imap4
access-list inside_out extended permit tcp any any eq 587
access-list inside_out extended permit tcp any any object-group accenthealth-tcp
access-list inside_out extended permit tcp host exch-db-01-10.1.1.27 any eq smtp
access-list inside_out extended permit tcp any any eq 50
access-list inside_out extended permit tcp host 10.100.0.10 any eq 873
access-list inside_out extended permit tcp host 10.100.0.10 any eq ssh
access-list inside_out extended deny udp any any eq snmp log disable
access-list inside_out extended permit ip any 10.50.106.0 255.255.255.0
access-list inside_out extended permit ip 10.1.1.0 255.255.255.0 172.16.96.0 255.255.255.0
access-list inside_out extended permit tcp host 10.1.8.128 any eq telnet
access-list outside_in extended permit tcp host hh.hh.108.109 host xx.xx.xx.219 eq https
access-list outside_in extended permit ip host hh.hh.108.109 any
access-list outside_in extended deny ip object-group blocked-nets any log disable
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit tcp any host xx.xx.xx.218 eq https
access-list outside_in extended permit ip 10.50.106.0 255.255.255.0 any
access-list outside_in extended permit ip 172.16.96.0 255.255.255.0 any log debugging
access-list outside_in extended permit ip host 199.91.140.80 any
access-list outside_in extended permit ip host 70.115.144.28 any
access-list ipsec-gts extended permit ip 10.1.1.0 255.255.255.0 192.168.49.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 client_vpn-10.1.50.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 SSLVPN_Client-10.1.51.0 255.255.255.0
access-list no_nat extended permit ip host 10.1.1.14 host 66.106.106.202
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.50.191.0 255.255.255.0
access-list no_nat extended permit ip 10.100.0.0 255.255.0.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.2.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip host 10.1.1.42 192.168.169.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 client_vpn-10.1.50.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 192.168.20.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip host 192.168.1.11 10.20.2.0 255.255.255.0
access-list no_nat extended permit ip host 10.1.1.36 10.20.2.0 255.255.255.0
access-list no_nat extended permit ip host 10.1.1.29 10.20.2.0 255.255.255.0
access-list no_nat extended permit ip host 192.168.1.48 10.20.2.0 255.255.255.0
access-list no_nat extended permit ip host 192.168.1.11 10.20.4.0 255.255.255.0
access-list no_nat extended permit ip host 10.1.1.36 10.20.4.0 255.255.255.0
access-list no_nat extended permit ip host 10.1.1.29 10.20.4.0 255.255.255.0
access-list no_nat extended permit ip host 192.168.1.48 10.20.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.7.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 192.168.49.0 255.255.255.0
access-list no_nat extended permit ip 192.168.30.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.8.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list IPSEC_VPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list IPSEC_VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list guest-access extended permit tcp any host 10.1.1.42 eq https
access-list guest-access extended permit tcp any host 10.1.1.41 eq https
access-list guest-access extended deny ip any 10.0.0.0 255.0.0.0
access-list guest-access extended permit icmp any any
access-list guest-access extended permit udp any any eq domain
access-list guest-access extended permit udp any any eq ntp
access-list guest-access extended permit udp any any eq 4500
access-list guest-access extended permit udp any any eq isakmp
access-list guest-access extended permit gre any any
access-list guest-access extended permit tcp any any eq pptp
access-list guest-access extended permit tcp any any eq www
access-list guest-access extended permit tcp any any eq https
access-list guest-access extended permit tcp any any eq ftp
access-list guest-access extended permit tcp any any eq 8080
access-list guest-access extended permit tcp any any eq 8443
access-list guest-access extended permit tcp any any eq 995
access-list guest-access extended permit tcp any any eq 993
access-list guest-access extended permit tcp any any eq 587
access-list guest-access extended permit tcp any any eq 3390
access-list guest-access extended permit tcp any any eq 3389
access-list guest-access extended permit tcp any any eq smtp
access-list guest-access extended permit tcp any any eq pop3
access-list guest-access extended permit tcp any any eq imap4
access-list 1 extended permit ip any host 10.100.3.10
access-list 1 extended permit ip host 10.100.3.10 any
access-list tcp-traffic extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap warnings
logging history errors
logging asdm warnings
logging host inside 10.1.1.14
no logging message 313001
mtu outside 1500
mtu inside 1500
mtu guest-access 1500
ip local pool client_vpn 10.1.50.1-10.1.50.254
ip local pool SSLVPN_Client 10.1.51.1-10.1.51.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 ww.ww.ww.178
global (outside) 3 xx.xx.xx.219
nat (inside) 0 access-list no_nat
nat (inside) 2 access-list hca-nat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 10.1.7.0 255.255.255.0
nat (inside) 1 10.1.8.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.20.0 255.255.255.0
nat (inside) 1 192.168.30.0 255.255.255.0
nat (inside) 1 10.100.0.0 255.255.0.0
nat (guest-access) 3 192.168.169.0 255.255.255.0
static (inside,outside) tcp interface https 10.1.1.42 https netmask 255.255.255.255  dns
static (inside,outside) tcp interface 8080 10.100.3.10 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.1.1.20 3389 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.220 10.1.1.17 netmask 255.255.255.255
static (inside,outside) yy.yy.216.214 10.1.1.27 netmask 255.255.255.255 dns
static (inside,outside) zz.zz.216.210 192.168.1.32 netmask 255.255.255.255 dns
access-group outside_in in interface outside
access-group inside_out in interface inside
access-group guest-access in interface guest-access
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.217 1
route inside 10.1.1.0 255.255.255.0 10.100.0.1 1
route inside 10.1.2.0 255.255.255.0 10.100.0.3 1
route inside 10.1.7.0 255.255.255.0 10.100.0.3 1
route inside 10.1.8.0 255.255.255.0 10.100.0.3 1
route inside 10.100.0.0 255.255.0.0 10.100.0.1 1
route inside 192.168.1.0 255.255.255.0 10.100.0.1 1
route inside 192.168.20.0 255.255.255.0 10.100.0.3 1
route inside 192.168.30.0 255.255.255.0 10.100.0.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.1.1.14
 key *****
http server enable
http 10.1.8.128 255.255.255.255 inside
snmp-server host inside 10.1.1.14 poll community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.1.8.128 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 24.93.41.125 24.93.41.126
dhcpd ping_timeout 750
dhcpd domain mydomain.local
!
dhcpd address 192.168.169.50-192.168.169.250 guest-access
dhcpd enable guest-access
!
priority-queue outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.7.1.66 source outside prefer
ntp server 209.184.112.199 source outside prefer
ntp server 192.5.41.209 source outside prefer
ssl trust-point localtrust outside
webvpn
 port 444
 enable outside
 dtls port 444
 svc image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLVPN_Client internal
group-policy SSLVPN_Client attributes
 dns-server value 10.1.1.32 10.1.1.14
 vpn-tunnel-protocol svc webvpn
 default-domain value xxx.com
 address-pools value SSLVPN_Client
 webvpn
  url-list none
  svc ask enable default webvpn timeout 10
group-policy IPSEC_VPN internal
group-policy IPSEC_VPN attributes
 dns-server value 10.1.1.14 10.1.1.32
 vpn-tunnel-protocol IPSec
 password-storage disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IPSEC_VPN_splitTunnelAcl
 default-domain value ***.com
!
class-map Data2
class-map Voice
 match access-list 1
class-map all-other
 match access-list tcp-traffic
class-map inspection_default
 match default-inspection-traffic
class-map Data
 match tunnel-group xx.xx.xx.214
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
policy-map Voicepolicy
 class Voice
  priority
 class Data
 class Data2
 class all-other
  police output 19500000
!
service-policy global_policy global
service-policy Voicepolicy interface outside
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d0c626b4c84c07f131a329fbd87d5a76
: end

Best Answer

Thank you both for your input. I removed the global nat pool for xx.xx.xx.219, moved the web server being hosted at xx.xx.xx.218 to 219, and changed the webvpn port to 443 for standard https on 218. This has solved my problem.

Related Topic