topic Switching traffic between interfaces in Network Security

Switching traffic between interfaces

Fazil Haneefa — Tue, 12 Mar 2019 08:29:49 GMT

Hi Everyone,

I am facing an issue for a IP. The packet tracer on the asdm says the packet will be routed correctly and without any error from the ingress interface to the egress interface.

Now, when I capture the ingress interface, I can see the packets in wireshark. But I can't see those packets in the egress capture.

NB:- this particular ip is not reachable from the Firewall.

So my Question is, Is this a normal behavior that the ASA will not switch the packets from the ingress to egress if the destination host is not reachable, or it will be switched regardless of the reachability of the destination.

Or is this something on the ASA itself. I doubt this, because the rules pretty straight forward and another IP from the same subnet is working fine and again, the packet tracer tells me everything is fine for this particular IP.

Thank you everyone in advance.

Your firewall (the same is

Karsten Iwen — Sun, 06 Nov 2016 09:19:32 GMT

Your firewall (the same is true for every IP-device) needs to know to which address on layer2 the packet should be forwarded, For that an ARP packet is sent out. If there is no one answering, then the actual packet is discarded. This is normal behavior.

U mean the arp of the next

Fazil Haneefa — Tue, 08 Nov 2016 04:43:54 GMT

U mean the arp of the next hop for the egress interface, right?

The next hop is reachable by the way.

So you have a remote

Karsten Iwen — Tue, 08 Nov 2016 06:10:06 GMT

So you have a remote destination in your case that is not reachable? I assumed your host is on the same outside network of the ASA.

Only the next hop (which can be a router) needs to be reachable in that case. If you don't see the egress-packets in that case, then I assume that your capture-statement is not matching that traffic.