Yes, this is related to the new 1.1.1.1 dns service. I have read that there are some parts of the internet still having trouble routing this space, but I'm not even making it out of my own network.
I did the same test for both 8.8.8.8 and 1.1.1.1, and 8.8.8.8 works fine. Even though 1.1.1.1 hits the same rule, it's saying in a later phase that it's denied by the implicit drop rule.
Code version is Cisco Adaptive Security Appliance Software Version 8.2(5)
Packet-tracer to 8.8.8.8:
FIREWALL# packet-tracer input inside icmp 172.18.172.1 8 0 8.8.8.8 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group insidelist in interface inside access-list insidelist extended permit icmp any any access-list insidelist remark Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 6 Type: Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 15 172.18.172.0 255.255.255.0 match ip inside 172.18.172.0 255.255.255.0 outside any dynamic translation to pool 15 (X.X.X.143) translate_hits = 252290205, untranslate_hits = 89103687 Additional Information: Dynamic translate 172.18.172.1/0 to X.X.X.143/49549 using netmask 255.255.255.255 Phase: 8 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 15 172.18.172.0 255.255.255.0 match ip inside 172.18.172.0 255.255.255.0 outside any dynamic translation to pool 15 (X.X.X.143) translate_hits = 252290207, untranslate_hits = 89103687 Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 4008272196, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
Packet-tracer to 1.1.1.1:
FIREWALL# packet-tracer input inside icmp 172.18.172.1 8 0 1.1.1.1 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group insidelist in interface inside access-list insidelist extended permit icmp any any access-list insidelist remark Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 6 Type: Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 15 172.18.172.0 255.255.255.0 match ip inside 172.18.172.0 255.255.255.0 outside any dynamic translation to pool 15 (X.X.X.143) translate_hits = 252290381, untranslate_hits = 89103699 Additional Information: Phase: 8 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside input-status: up input-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
No comments:
Post a Comment