Is there any way to debug ASA firewall rule application?
I have created 2 simple access rules: allow any ICMP and allow any UDP.
The first one works, I can ping. The udp doesn't work. Running a trace (simulated packet) in ASDM shows that the packet is dropped by the implicit reject rule, but I don't understand why does it not match my any to any UDP rule? Can I enable logging of rule evaluation?
Here's the piece of configuration which I think is relevant (sorry, not a Cisco expert, using ASDM):
access-list Split-tunnel-ACL standard permit 10.65.0.0 255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark test
access-list outside_access_in extended permit udp host x.x.x.x host y.y.y.y
I also try any any instead of x.x.x.x and y.y.y.y no different. Packet trace says that packet is dropped by implicit deny rule on the access checking stage. The icmp rule is working.
More data:
Result of the command: "packet-tracer input outside udp x.x.x.x 5060 y.y.y.y 5060 detailed"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad31d370, priority=111, domain=permit, deny=true
hits=28380, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Result of the command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Split-tunnel-ACL; 1 elements; name hash: 0xaa04f5f3
access-list Split-tunnel-ACL line 1 standard permit xxx.xx5.0.0 255.255.0.0 (hitcnt=6240) 0x9439a34b
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x71af81e1
access-list outside_access_in line 2 remark test
access-list outside_access_in line 3 extended permit udp host x.x.x.x host y.y.y.y (hitcnt=0) 0x9fbf7dc7
access-list inside_nat0_outbound; 4 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip object City-network object Remote-mgmt-pool 0x1c53e4c4
access-list inside_nat0_outbound line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 192.168.2.0 255.255.255.248 (hitcnt=0) 0x1c53e4c4
access-list inside_nat0_outbound line 2 extended permit ip object City-network object City2-network 0x278c6c43
access-list inside_nat0_outbound line 2 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx2.0.0 255.255.0.0 (hitcnt=0) 0x278c6c43
access-list inside_nat0_outbound line 3 extended permit ip object City-network object City1-network 0x2b77c336
access-list inside_nat0_outbound line 3 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx1.0.0 255.255.0.0 (hitcnt=0) 0x2b77c336
access-list inside_nat0_outbound line 4 extended permit ip object City-network object City3-network 0x9fdd4c28
access-list inside_nat0_outbound line 4 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx5.0.0 255.255.0.0 (hitcnt=0) 0x9fdd4c28
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 object City1-network 0x12693b9a
access-list outside_cryptomap line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx1.0.0 255.255.0.0 (hitcnt=265) 0x12693b9a
access-list inside_nat_outbound; 1 elements; name hash: 0xb64b365a
access-list inside_nat_outbound line 1 extended permit tcp object City-network any eq smtp 0x4c753adf
access-list inside_nat_outbound line 1 extended permit tcp xxx.xx5.0.0 255.255.0.0 any eq smtp (hitcnt=0) 0x4c753adf
access-list outside_cryptomap_1; 1 elements; name hash: 0x759febfa
access-list outside_cryptomap_1 line 1 extended permit ip object City-network object City-network 0x4b257004
access-list outside_cryptomap_1 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx5.0.0 255.255.0.0 (hitcnt=0) 0x4b257004
access-list outside_cryptomap_2; 1 elements; name hash: 0x4e1c27f3
access-list outside_cryptomap_2 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 object City4-network 0xa82be620
access-list outside_cryptomap_2 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx3.0.0 255.255.0.0 (hitcnt=25) 0xa82be620
Your tracer is coming back with
input_ifc=outside, output_ifc=outsidebecause it has no other routing information for the destination address, and youroutside_access_inACL has hit counts of 0 on both entries; ICMP is not working, at least, not via this ACL.Definitely need to see that NAT rule (and the associated ACL if it's a policy NAT).
Is it using a dedicated address for this, or the firewall's interface address? It's not getting this far yet, but, we'll also want to confirm that the correct routing information is there to get traffic to the post-destination address, too; this will be automatic if the server's in the same subnet as the firewall's inside interface.