https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4116058#M1071885 Is that the full output of the packet-tracer command?<BR />What was the exact syntax of the packet-tracer command you ran?<BR /> Thu, 09 Jul 2020 15:08:55 GMT Rob Ingram 2020-07-09T15:08:55Z https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4115789#M1071876 <P>Hi,</P><P>&nbsp;</P><P>We have defined our main network as inside on our Cisco ASA. Then we defined vlan (sub interfaces) &nbsp;within this interface and add groups that allow access to each vlan (departments).</P><P>&nbsp;</P><P>So far all works as expected. We also allow inter and intra communications between interfaces (all have same level of security 100).</P><P>&nbsp;</P><P>So from outside to inside or other sub interfaces (vlan) each one within a group with proper NAT and rules work.</P><P>&nbsp;</P><P>The problem comes when we want to access from inside network (10.11.x.x) to a vlan with ip 172.21.x.x.&nbsp;</P><P>Of course I cannot add a route to this network since it is known by the device on a vlan.&nbsp;</P><P>&nbsp;</P><P>I think I need to move the inside to be also a vlan and no IP address on the interface itself but use a vlan like the others under inside to be able to reach the other sub interfaces right?</P><P>&nbsp;</P><P>So what we have is something like:</P><P>&nbsp;</P><P>interface Ethernet1/14<BR />description untagged / native VLAN to inner networks<BR />nameif inside<BR />security-level 100<BR />ip address 10.11.x.x 255.255.252.0</P><P>&nbsp;</P><P>interface Ethernet1/14.30<BR />vlan 30<BR />nameif WEB_dev<BR />security-level 100<BR />ip address 172.21.x.x &nbsp;255.255.0.0&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Carmelo Lopez</P> Thu, 09 Jul 2020 07:23:33 GMT https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4115789#M1071876 lopezportilla 2020-07-09T07:23:33Z https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4115938#M1071877 Hi,<BR />Please run packet-tracer from the CLI and provide the output for review. E.g:- "packet-tracer input inside icmp 10.11.x.x 8 0 172.21.x.x"<BR /><BR />Do you have NAT configured that could unintentially NATTING the traffic? Provide the output of "show nat detail"<BR /><BR />HTH Thu, 09 Jul 2020 12:22:41 GMT https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4115938#M1071877 Rob Ingram 2020-07-09T12:22:41Z https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4116024#M1071882 <P>Hi,</P><P>&nbsp;</P><P>Yes we do NAT</P><P>&nbsp;</P><P>here is the packet trace</P><P>&nbsp;</P><P>Phase: 1</P><P>Type: ACCESS-LIST</P><P>Subtype:<SPAN class="Apple-converted-space">&nbsp;</SPAN></P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P>&nbsp;</P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: Resolve Egress Interface</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>found next-hop 172.21.xx.xx using egress ifc<SPAN class="Apple-converted-space">&nbsp; </SPAN>Web-dev</P><P>&nbsp;</P><P>Phase: 3</P><P>Type: SUBOPTIMAL-LOOKUP</P><P>Subtype: suboptimal next-hop</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>ifc selected is not same as preferred ifc</P><P>Doing route lookup again on ifc<SPAN class="Apple-converted-space">&nbsp; </SPAN>inside</P><P>&nbsp;</P><P>Phase: 4</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: Resolve Egress Interface</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>found next-hop 10.11.xx.xx using egress ifc<SPAN class="Apple-converted-space">&nbsp; </SPAN>inside</P><P>&nbsp;</P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: Web-dev</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (rpf-violated) Reverse-path verify failed, Drop-location: frame 0x000000aab04e9034 flow (NA)/NA</P><P>&nbsp;</P><P>&nbsp;</P><P>The NAT (only the part involved)</P><P>&nbsp;</P><P>&nbsp;</P><P>6 (outside) to (inside) source static Net-XXX-VPN-network Net-XXX-VPN-network<SPAN class="Apple-converted-space">&nbsp; </SPAN>destination static Net-XXX-VPN-network Net-XXX-VPN-network no-proxy-arp route-lookup description no NAT for VPN Clients going to their own net</P><P><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>translate_hits = 1348838, untranslate_hits = 1351597</P><P><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>Source - Origin: 10.11.xx.0 Translated: 10.11.xx.0</P><P><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>Destination - Origin: 10.11.xx.0 Translated: 10.11.xx.0</P><P>&nbsp;</P><P>&nbsp;</P><P>10 (outside) to (Web-dev) source static Net_Web-Dev_NEtwork Net_Web-dev_NEtwork<SPAN class="Apple-converted-space">&nbsp; </SPAN>destination static Net_Web-dev_NEtwork Net_Web-dev_NEtwork no-proxy-arp route-lookup description no NAT for packets going in same network</P><P><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>translate_hits = 1489143, untranslate_hits = 45535</P><P><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>Source - Origin: 172.21.0.0, Translated: 172.21.0.0</P><P>&nbsp;</P><P>This one I was thinking about using to NAT from inside to the Web-DEV. Not enable (I did and nothing happened).</P><P>&nbsp;</P><P>11 (inside) to (web-dev) source static Net-XXX-VPN-network Web-dev-PAT-inside<SPAN class="Apple-converted-space">&nbsp; </SPAN>destination static Net_web-dev_NEtwork Net_web-dev_NEtwork no-proxy-arp inactive</P><P><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>translate_hits = 0, untranslate_hits = 0</P><P><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>Source - Origin: 10.11.xx.0/22, Translated: 172.21.xx.xx/32</P><P><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>Destination - Origin: 172.21.0.0/16, Translated: 172.21.0.0</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 09 Jul 2020 14:31:05 GMT https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4116024#M1071882 lopezportilla 2020-07-09T14:31:05Z https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4116058#M1071885 Is that the full output of the packet-tracer command?<BR />What was the exact syntax of the packet-tracer command you ran?<BR /> Thu, 09 Jul 2020 15:08:55 GMT https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4116058#M1071885 Rob Ingram 2020-07-09T15:08:55Z https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4116576#M1071943 <P>Hi Rob,</P><P>yes that’s all from the trace</P><P>i did like you said replacing the IP with 2 working IP within the 2 networks</P><P>best</P><P>carmelo&nbsp;</P> Fri, 10 Jul 2020 13:01:38 GMT https://community.cisco.com/t5/network-security/cisco-asa-routing-issues-between-interfaces/m-p/4116576#M1071943 lopezportilla 2020-07-10T13:01:38Z