Cisco ASA (acl-drop) Flow is Denied by Configured Rule

KB ID 0001108 

Problem

Packet-tracer is a brilliant troubleshooting tool, but sometimes interpreting the output proves to be more difficult that actually fixing the problem.

If your output fails at the access-list section this is the sort of thing you will see;

[box]

Petes-ASA# packet-tracer input inside tcp 10.2.2.10 80 123.123.123.123 80
----Output removed for the sake of brevity---

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

Solution

1. Re-run the packet-tracer and append the keyword ‘detailed’ on the end.

[box] Petes-ASA# packet-tracer input inside tcp 10.2.2.10 80 123.123.123.123 80 detailed [/box]

2. At this point if you are being specifically blocked by a ‘deny’ rule it should tell you like so;

[box]

Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outbound in interface inside <--
access-list outbound extended deny ip any any <--
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbb9ba040, priority=13, domain=permit, deny=true
	hits=0, user_data=0xb94669e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

3. Or you may see output like the following, this indicates you are being denied by the ‘implicit rule’.

[box]

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule <--
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc057320, priority=11, domain=permit, deny=true
	hits=8, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

If you didn’t already know,as soon as you allow one piece of traffic though an interface with an ACL, everything else is blocked, it’s called the ‘implicit deny rule’. At the end of every ACL there is a deny, so if you traffic does not match any of the rules it gets dropped. So find the ACL name and add the traffic you want to it.

[box]

Petes-ASA# show run access-group
access-group outbound in interface inside
Petes-ASA# configure terminal
Petes-ASA(config)# access-list outbound permit tcp host 10.2.2.20 host 123.123.123.123 eq 80 

[/box]

It Still Does Not Work!

There is another reason, that the traffic can be blocked by the ‘Implicit Rule’ if both interfaces have the same security level like so;

[box]

Petes-ASA# show run interface
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.253.254 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface GigabitEthernet2
nameif Partner
security-level 100
ip address 123.123.123.1 255.255.255.0
!

[/box]

To fix that you need to allow traffic between interfaces with the same security level;

[box]

Petes-ASA(config)# same-security-traffic permit inter-interface

[/box]  

Related Articles, References, Credits, or External Links

NA