legit return PAT traffic denied

crisponions · ‎06-12-2018

I am trouble shooting an issue where I see a lot of return traffic from web browsing getting denied.

I am running an software version 9.6(4).6 with a Firepower module on board.

I originally though it was due to closed (torndown) connections but digging a little further this does not seem to be the case.

I see a entry from the Firepower module asking the ASA to bypass processing, then it is dropped by the deny all ACL.

Jun 12 2018 09:33:16: %ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from outside-3:88.157.xxx.11/443 to inside:4.xxx.xxx.14/63916

09:33:16: %ASA-6-106100: access-list outside-3_access_in denied tcp outside-3/88.157.xxx.11(443) -> inside/172.20.xx.90(63916)

I check the PAT table and the connection is still active.

TCP PAT from inside:172.20.xx.90/63916 to outside-3:4.xx.xxx.14/63916 flags ri idle 0:00:09 timeout 0:00:30

What am I missing? Thanks

Florin Barhala · ‎06-13-2018

What I would do: use show conn and check if there's a session established for this traffic.
Can you share "show run access-group" config?

Dennis Mink · ‎06-13-2018

is your PAT NAT statement configured for both directions? or uni directional?

can you share the NAT config statement you have?

Please remember to rate useful posts, by clicking on the stars below.

crisponions · ‎06-13-2018

I got some wirecaptures today and it appears that firewall is doing its job. This type of traffic (one instance was an ad server and another was spotify traffic) seems to continuously be setting up new TCP sessions.

No retransmits in the capture, just a lot of FIN,FIN-ACK followed by connecting a new TCP session.

Thanks for the help.