There are number of cases when you have issues with firewall dropping packets & causing the issues in production environment. We will use below diagram to discuss the troubleshooting scenarios

We should follow a step by step approach to troubleshoot the firewall issues.

We considering the case that firewall rules are in place but still the issue is not resolved. There could be several reason that ASA is dropping packets even though the rule is present.

Reason1 – There could be a deny statement in top of the configured allow rule which is dropping the packet. You can try to find the rule in the running configuration but lot of time deny statement could be using a bigger IP block which is difficult to identify if you have thousands of rules in the firewall. Please see below approach to troubleshoot the problem.

Step1 – You should use the packet tracer command to identify how the firewall is processing the IP packet?

ciscoasa(config)#packet-tracer input <name-if of source interface> tcp <source-IP> <source-port> <Destination-IP> <Destination-port>

ciscoasa(config)# packet-tracer input IN tcp 10.1.1.1 1024 20.1.1.3 80

Step2 – If packet-tracer showing a drop, then you need to identify if it is a ACL-Drop or drop due to Implicit rule. If it is ACL-Drop, then you can go ahead & fix the ACL. If it is due to Implicit Rule then you need to identify below.

Step3 – You need to identify the security level of the interfaces. For ex- As per our case if the Inside interface has security level 100 and DMZ interface also has security level 100 then ASA will drop until you have below command.

ciscoasa(config)#same-security-traffic permit inter-interface

Step4 – if you have above command but still ASA dropping packets, you need to check basic stuff which can also cause same issue

Check if security group associate with ACL is applied to interface or not?

ciscoasa(config)# access-group inside-access in interface INSIDE ( inside-access is ACL name for INSIDE interface)

Step5 – If after fixing all above, still issue persist then it could be case that ASA is passing the traffic as desired but it is some issue with web server now. We need to validate that by capturing the packets on ASA

ciscoasa# capture <capture-name> interface <interface-name> match ip host <SRC-IP> host <DST-IP>

ciscoasa# capture cap1 interface IN match ip host 10.1.1.1 host 20.1.1.3

ciscoasa#capture cap2 interface DMZ match ip host 10.1.1.1 host 20.1.1.3

Note – I have added capture 2 times on both inside & DMZ interfaces, inside interface capture will show you traffic entering ASA & DMZ interface capture will prove that traffic leaving ASA as well as these capture confirm the reverse traffic from server side.

There could be several other reason but I tried to add which I have faced mostly. Please comment if you want me to add any specific cases.

5 1 vote
Article Rating
Troubleshooting Access lists issue on Cisco ASA
Tagged on:                     
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Raj
Raj
4 years ago

Thanks for the nice post !! It helps step by step way to troubleshoot ASA ACL’s

0
Reply
wpdiscuz   wpDiscuz
1
0
Would love your thoughts, please comment.x
()
x

Discover more from NetworkSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading