topic Rick, in Network Security

ASA5512 Basic question on passing traffic

Richard Stanger — Tue, 12 Mar 2019 08:51:38 GMT

I have two interfaces on the asa configured (one named outside and one PDS), I can ping out from the ASA to devices on each side without issue but am unable to pass traffic from devices located on one side to device on the other side (through the asa). Does it have to have NAT configured? I have acl's configured on both interfaces allowing permitting icmp, tcp, and ip. We are running ver. 9.6.2 What am I missing?

Richard,

Georg Pauwen — Tue, 31 Jan 2017 16:37:35 GMT

Richard,

best to post the config of the ASA.

One reason could be the interface security level. By default, interfaces with the same security level cannot communicate unless you have the below configured:

same-security-traffic permit inter-interface

I have specifically changed

Richard Stanger — Tue, 31 Jan 2017 16:45:14 GMT

I have specifically changed security levels with no change in traffic. Also, have tried the "same-security-traffic permit inter-interface" with no effect....

Richard,

Georg Pauwen — Tue, 31 Jan 2017 16:58:20 GMT

Richard,

post the config, it could be an access list...

Interface security levels are

Marius Gunnerud — Tue, 31 Jan 2017 17:54:03 GMT

Interface security levels are only relevant if no ACL is assigned to the interface.

When you say you are unable to pass traffic are we talking about ICMP traffic or http, https traffic also? If it is just ICMP then you will need to enable ICMP inspection. Enter the following and test again:

policy-map global_policy
class inspection_default
inspect icmp

Is the outside interface connected towards ISP with public interface? If, yes then you will need a NAT statement unless the subnet on the PDS interface is a public IP also.

Run a packet tracer and see where the traffic drops, where x.x.x.x is an IP on the PDS network and y.y.y.y is an IP on the outside network:

packet-tracer input PDS tcp x.x.x.x 12345 y.y.y.y 80 detail

You mention that you have opened for IP in both directions so this should work, or at the very least give us an indication where the packet is being dropped.

Please remember to select a correct answer and rate helpful posts

Okay, I thought it didn't

Richard Stanger — Tue, 31 Jan 2017 18:25:21 GMT

Okay, I thought it didn't make sense!

The problem was the default gateways on the vm'd servers were not set correctly! Once I had our server guy check this, we determined the issue. Thank you everyone for sending information. It may not help me but most certainly will help someone else!

I thank you all!

Rick

Glad you got it sorted!

Marius Gunnerud — Tue, 31 Jan 2017 18:33:54 GMT

Glad you got it sorted!

Please remember to select a correct answer and rate helpful posts

Rick,

Georg Pauwen — Tue, 31 Jan 2017 19:35:11 GMT

Rick,

good stuff ! This thread contains some useful information no matter what...