Cisco Reflexive ACL assistance

I'm currently working on an issue that may or may not be due to a mis-configuration with a Cisco 2921 Reflexive ACL not working. I would like to rule out that the Reflexive ACL is working as it should before I start looking elsewhere.

Basic topology

User subnets -> Palo Alto FW -> Cisco 2921 -> ISP

​

Subnet 1 NATs to 16.18.22.99/27 when routed from the FW to the Cisco 2921 (internet works)

Subnet 2 NATs to 16.18.22.105/27 when routed from the FW to the Cisco 2921 (Internet does not work)

Both subnets share the same physical connections, same firewall security rule. Only difference is the NAT rule.

​

Looking at the Reflexive ACL, I do see entries for the .105 IP. Which tells me that the Subnet 2 is correctly NAT to the Cisco router and making it outbound from the router. Correct? The return traffic never shows up on the Palo Alto network captures. So, I'm assuming that the Reflexive ACL may not be working correct?

​

Here is some config info pulled from the Cisco router

Both of these ACL's are applied to the outside interface on the Cisco 2921.

Extended IP access list Inside_to_Outside

10 deny udp any any eq 3544 log (637629 matches)

20 permit ip host 25.0.0.2 9.7.43.32 0.0.0.7 log

30 permit ip 9.7.43.32 0.0.0.7 host 32.63.97.5 log

40 permit ip 9.7.43.32 0.0.0.7 host 32.63.96.5 log

50 permit ip 16.18.22.64 0.0.0.63 any reflect REFLEXIVE-ACL-LIST log (3893795435 matches)

70 deny ip any any log (64 matches)

NOTE: I believe rule 50 should match both .99 and .105 for outbound access?

​

Extended IP access list Outside_To_In

10 permit ip 1.7.12.32 0.0.0.7 host 25.0.0.2 log (4451008 matches)

20 permit ip host 1.63.7.5 9.7.43.32 0.0.0.7 log (65001 matches)

30 permit ip host 1.63.7.6 9.7.43.32 0.0.0.7 log (73010 matches)

40 permit ip 16.17.43.17 0.0.0.7 9.7.43.32 0.0.0.7

50 permit ip 16.17.34.0 0.0.0.255 16.18.22.64 0.0.0.63 log (260997410 matches)

60 permit icmp 9.7.43.32 0.0.0.7 any log (89 matches)

70 deny icmp any any log (21465826 matches)

80 deny ip 16.18.22.64 0.0.0.63 any log

90 deny ip 169.254.0.0 0.0.255.255 any log (65 matches)

100 deny ip 127.0.0.0 0.255.255.255 any log

110 deny ip 10.0.0.0 0.0.255.255 any log (549 matches)

120 deny ip 0.0.0.0 0.255.255.255 any log

130 deny ip 192.0.0.0 0.0.0.255 any log

140 deny ip 172.16.0.0 0.15.255.255 any log (6949 matches)

150 deny ip 169.0.0.0 0.0.0.255 any log

160 deny ip 224.0.0.0 15.255.255.255 any log

170 permit tcp any host 16.18.22.66 eq 443 log (3228 matches)

180 permit tcp any host 16.18.22.67 eq 443 log (3292 matches)

200 permit udp any host 16.18.22.66 eq isakmp log (221 matches)

210 permit udp any host 16.18.22.66 eq non500-isakmp log (48 matches)

230 permit udp any host 16.18.22.67 eq isakmp log (203 matches)

240 permit udp any host 16.18.22.67 eq non500-isakmp log (50 matches)

250 evaluate REFLEXIVE-ACL-LIST

NOTE: I believe rule 250 should allow for all traffic to return for .99 and .105?

​

A few random entries I copied out of the REFLEXIVE-ACL-LIST

permit tcp host 12.253.131.111 eq www host 16.18.22.105 eq 46456 log (5 matches) (time left 224) (no internet access)

permit tcp host 65.26.225.254 eq www host 16.18.22.105 eq 56694 log (3 matches) (time left 239) (no internet access)

permit tcp host 23.62.7.169 eq www host 16.18.22.105 eq 1730 log (9 matches) (time left 187) (no internet access)

permit tcp host 35.186.220.184 eq 443 host 16.18.22.99 eq 50948 log (30 matches) (time left 227) (internet works!)