We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 549 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

299 New Members signed up the last 30 days!

 
satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Notable Replies

  1. hello Rene, a question about ACL
    if I read an acl written in this way:
    access-list 100 permit ip host 131.108.1.1 any....
    the keyword "any" means :
    " permit any packet from address 131.108.1.1 to any others address if configured , in this router, more 255.255.255.255 and more all mulsticast address? (224.0.0.9 for rip for example)
    131.108.1.1 is for example the adjacent router on my fa 0/0...( and so I have to configure acl in inboud)

  2. johxxn says:

    Hi Rene,

    I have that too, R2 points to the ASA, but the lab did not work for me. I think it is a static NAT issue because the ASA drops the packet due to rpf-check. Here is a packet tracer from the ASA

    ciscoasa# packet-tracer input OUTSIDE tcp 192.168.2.2 23 192.168.3.3 23
    
    Phase: 1
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.3.0     255.255.255.0   DMZ
    
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group OUTSIDE_INBOUND in interface OUTSIDE
    access-list OUTSIDE_INBOUND extended permit tcp any host 192.168.3.3 eq telnet 
    Additional Information:
    
    Phase: 4
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 5
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    Config:
    object network WEB_SERVER
     nat (DMZ,OUTSIDE) static 192.168.2.200
    Additional Information:
    
    Result:
    input-interface: OUTSIDE
    input-status: up
    input-line-status: up
    output-interface: DMZ
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
  3. Hi John,

    That makes sense :slight_smile: In my example I didn't have NAT configured...just the IP addresses and security levels on the ASA, that's it.

    Rene

  4. Hi Asi,

    Here's a good document from Cisco that explains the "order of operation" for the ASA:

    Cisco ASA Packet Flow

    The packet tracer tool on the ASA is also great to answer this question. For example:

    ASA# packet-tracer input INSIDE tcp 192.168.1.1 50001 1.2.3.4 80

    This will show us the packet flow for a host that is using IP address 192.168.1.1 and who wants to connect to TCP port 80 on 1.2.3.4. Here's the result:

    Phase: 1
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: Resolve Egress Interface
    Result: ALLOW
    Config:
    Additional Information:
    found next-hop 10.10.10.1 using egress ifc  OUTSIDE
    
    Phase: 3
    Type: NAT
    Subtype: 
    Result: ALLOW
    Config:
    object network INSIDE
     nat (INSIDE,OUTSIDE) dynamic interface
    Additional Information:
    Dynamic translate 192.168.1.1/50001 to 10.10.10.254/50001
    
    Phase: 4
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 5
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 6
    Type: SFR
    Subtype: 
    Result: ALLOW
    Config:
    class-map SFR
     match access-list SFR_REDIRECT
    policy-map global_policy
     class SFR
      sfr fail-open
    service-policy global_policy global
    Additional Information:
    
    Phase: 7
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 8
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 9
    Type: FLOW-CREATION
    Subtype: 
    Result: ALLOW
    Config:       
    Additional Information:
    New flow created with id 1017213, packet dispatched to next module

    You can see that the access-list is checked BEFORE NAT is applied. If your packet doesn't match the access-list then it will be dropped before NAT translation occurs.

    Hope this helps.

    Rene

Continue the discussion forum.networklessons.com

19 more replies

Participants