I have a massive ACL that i'm dealing with and I can't seem to find what line is blocking me. Is there a way for packet-tracer to help me figure out more specifically where i'm getting blocked at?
packet-tracer input AAAA tcp 10.A.B.1 5555 10.C.D.80 PORT# d
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 AAAA
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffd9a7f9e40, priority=111, domain=permit, deny=true
hits=28704780, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=AAAA, output_ifc=AAAA
Result:
input-interface: AAAA
input-status: up
input-line-status: up
output-interface: AAAA
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Some clues that I have gathered (not sure if they are correct though)
- The drop reason indicates that a configured line is dropping the packet and not the default deny at the end
- The packet is getting denied at the output ACL on interface AAAA
- There is a id string and a hit counter but I don't know how to match that up with anything
Best Answer
Implicit Rule
andAAAA
being the in and out interface... That's called hair-pinning, and it's generally not allowed. It works on my asa, but I have the following enabled: