Firewall – Cisco ASA Implicit rule dropping traffic

ciscofirewallnat;networkingrouting

The network is as follows:

Two Default Gateways exist on the network – one which provides connectivity to the an MPLS with several subnets. Let's say 10.0.0.2

Another which is a Cisco Firewall, on 10.0.0.1, with a WAN Connection. A server exists on the LAN with it's DG as the above Cisco Firewall. On the firewall there is a route that tells says anything destined to one of the MPLS subnets (192.168.99.0/24) to go to the MPLS router (on it's LAN IP).

On the INSIDE interface, there is any Any, Any, IP allow rule (all traffic).

However, I cannot ping anything on the MPLS and the logs on the Cisco show the "Implicit" Any,Any Deny is dropping the ping traffic. It's the same for everything – HTTPs, HTTP etc.

What's missing?

Best Answer

I think the security-level should be considered. You can ping from Inside to Outside, but the echo traffic must be allowed to go back to Inside.

Related Solutions

Cisco ASA intermittently fails to see traffic

I wonder if you need to put in identity NAT configs on the ASA:

nat (inside) 0 0 0
nat (dmz) 0 0 0

Also, check the ARP tables on the ASA (show arp) and the servers to make sure they have the correct IP->hw addresses.

And check the routing tables on every device as well.

Cisco ASA and static IPv6 tunnel endpoint

I had the same problem, and I've worked it out. Your question helped me greatly, actually. The loopback tunnelling was the trick.

There were significant ASA OS changes, especially with respect to NAT, in the 8.3 release. That's what I'm running, so it's likely the syntax will not work prior to 8.3. I don't know if you could even do this prior to 8.3.

Here's how it's set up. I'll include some configuration snippets below to back this up.

As you, I have an ASA between my edge router and my internal network. I only have one publicly-addressable IPv4 address. I was able to NAT protocol 41 traffic between a specific external host and a specific internal host using the ASA's outside public IP address. The tunnel is terminated on an internal host.

The internal host has two ethernet interfaces. One, connected to the internal network, only runs IPv4. The other, connected to the same segment as the outside interface of the ASA, only runs IPv6. There is also a tunnel interface for the IPv6 tunnel. The configuration of the tunnel came directly from Hurricane Electric's web site. If you have a tunnel configured with them, they can show you detailed configuration instructions for at least 8 different operating systems.

The ASA uses the edge router's IPv4 address as it's default IPv4 route. It uses the IPv6 address of the tunnel endpoint as it's default IPv6 address. Internal hosts use the ASA as their default route for either version, except the tunnel endpoint, which uses its tunnel interface as the default for IPv6.

IPv6 packets go through the ASA twice in each direction. Out, they go through the ASA, to the tunnel endpoint where they are put into the tunnel, and out again through the ASA. Both IPv4 and IPv6 get all of the benefits of the ASA firewall.

The real trick was getting the protocol 41 traffic through the ASA. Here are the pieces that made that work:

object service 6in4
 service 41
object network ipv6_remote_endpoint
 host x.x.x.x
object network ipv6_local_endpoint
 host y.y.y.y

access-list outside_in extended permit object 6in4 object ipv6_remote_endpoint object ipv6_local_endpoint

nat (inside,outside) source static ipv6_local_endpoint interface destination static ipv6_remote_endpoint ipv6_remote_endpoint

Good luck with it!

Rob

Best Answer

Related Solutions

Cisco ASA intermittently fails to see traffic

Cisco ASA and static IPv6 tunnel endpoint

Related Topic