https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876665#M155079 <P>Hello,</P> <P></P> <P>I have an ASA 5515 where an interface is connected to a router whit 2 different networks defined 192.168.1.0 - 192.168.168.2.0</P> <P></P> <P>The interface configuration is the following:</P> <P></P> <P>GigabitEthernet0/0 81.77.10.200 YES manual <G class="gr_ gr_260 gr-alert gr_spell gr_disable_anim_appear undefined ContextualSpelling only-del replaceWithoutSep" id="260" data-gr-id="260">up up</G>&nbsp;<SPAN>outside</SPAN><BR />GigabitEthernet0/1 192.168.66.1 YES manual <G class="gr_ gr_689 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="689" data-gr-id="689">up up</G>&nbsp;inside<BR /><STRONG>GigabitEthernet0/2 192.168.1.238 YES manual </STRONG><G class="gr_ gr_690 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="690" data-gr-id="690">up up</G>&nbsp;office<BR />GigabitEthernet0/3 192.168.5.2 YES manual <G class="gr_ gr_691 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="691" data-gr-id="691">up up</G>&nbsp;<G class="gr_ gr_724 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="724" data-gr-id="724">vpn</G></P> <P></P> <P>A device on interface 0/2 is able to access&nbsp;192.168.1.0 traffic but not&nbsp;<SPAN>192.168.168.2.0</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Route rules looks as the following:</SPAN></P> <P><SPAN>S* 0.0.0.0 0.0.0.0 [1/0] via 80.71.19.214, outside<BR />C 81.77.10.208 255.255.255.248 is directly connected, outside<BR />L 81.77.10.200 255.255.255.255 is directly connected, outside<BR />C 192.168.5.0 255.255.255.0 is directly connected, vpn<BR />L 192.168.5.2 255.255.255.255 is directly connected, vpn<BR />C 192.168.11.0 255.255.255.0 is directly connected, office<BR />L 192.168.1.238 255.255.255.255 is directly connected, office<BR /><STRONG>S 192.168.2.0 255.255.255.0 [1/0] via 192.168.12.1, office</STRONG><BR />C 192.168.66.0 255.255.255.0 is directly connected, inside<BR />L 192.168.66.1 255.255.255.255 is directly connected, inside<BR /></SPAN></P> <P><SPAN></SPAN></P> <P>and if I try to ping any address on&nbsp;<SPAN>192.168.168.2.0 on the ASA it works:</SPAN></P> <P><SPAN> ping 192.168.2.1<BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:<BR />!!!!!<BR />Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms<BR /></SPAN></P> <P></P> <P>Any help?</P> <P></P> <P>Thanks!</P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Tue, 12 Mar 2019 07:34:51 GMT Renato Tuveri 2019-03-12T07:34:51Z https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876665#M155079 <P>Hello,</P> <P></P> <P>I have an ASA 5515 where an interface is connected to a router whit 2 different networks defined 192.168.1.0 - 192.168.168.2.0</P> <P></P> <P>The interface configuration is the following:</P> <P></P> <P>GigabitEthernet0/0 81.77.10.200 YES manual <G class="gr_ gr_260 gr-alert gr_spell gr_disable_anim_appear undefined ContextualSpelling only-del replaceWithoutSep" id="260" data-gr-id="260">up up</G>&nbsp;<SPAN>outside</SPAN><BR />GigabitEthernet0/1 192.168.66.1 YES manual <G class="gr_ gr_689 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="689" data-gr-id="689">up up</G>&nbsp;inside<BR /><STRONG>GigabitEthernet0/2 192.168.1.238 YES manual </STRONG><G class="gr_ gr_690 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="690" data-gr-id="690">up up</G>&nbsp;office<BR />GigabitEthernet0/3 192.168.5.2 YES manual <G class="gr_ gr_691 gr-alert gr_spell undefined ContextualSpelling only-del replaceWithoutSep" id="691" data-gr-id="691">up up</G>&nbsp;<G class="gr_ gr_724 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="724" data-gr-id="724">vpn</G></P> <P></P> <P>A device on interface 0/2 is able to access&nbsp;192.168.1.0 traffic but not&nbsp;<SPAN>192.168.168.2.0</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Route rules looks as the following:</SPAN></P> <P><SPAN>S* 0.0.0.0 0.0.0.0 [1/0] via 80.71.19.214, outside<BR />C 81.77.10.208 255.255.255.248 is directly connected, outside<BR />L 81.77.10.200 255.255.255.255 is directly connected, outside<BR />C 192.168.5.0 255.255.255.0 is directly connected, vpn<BR />L 192.168.5.2 255.255.255.255 is directly connected, vpn<BR />C 192.168.11.0 255.255.255.0 is directly connected, office<BR />L 192.168.1.238 255.255.255.255 is directly connected, office<BR /><STRONG>S 192.168.2.0 255.255.255.0 [1/0] via 192.168.12.1, office</STRONG><BR />C 192.168.66.0 255.255.255.0 is directly connected, inside<BR />L 192.168.66.1 255.255.255.255 is directly connected, inside<BR /></SPAN></P> <P><SPAN></SPAN></P> <P>and if I try to ping any address on&nbsp;<SPAN>192.168.168.2.0 on the ASA it works:</SPAN></P> <P><SPAN> ping 192.168.2.1<BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:<BR />!!!!!<BR />Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms<BR /></SPAN></P> <P></P> <P>Any help?</P> <P></P> <P>Thanks!</P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Tue, 12 Mar 2019 07:34:51 GMT https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876665#M155079 Renato Tuveri 2019-03-12T07:34:51Z https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876666#M155080 <P>Hello Renato,</P> <P>Can you please confirm if there are any access-list applied on the interfaces since the to the box traffic and through the box traffic will be processed differently.<BR /><BR /></P> <P>Please share the output of&nbsp;<BR />show run access-group<BR /><BR /></P> <P>Do a traceroute from <G class="gr_ gr_524 gr-alert gr_gramm undefined Grammar only-ins replaceWithoutSep gr-progress" id="524" data-gr-id="524">firewall</G> to 192.168.2.x and check what are all the hops and also confirm those hops have a correct route for your subnet.<BR /><BR /></P> <P>Regards,<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.</P> Tue, 05 Apr 2016 10:24:43 GMT https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876666#M155080 Dinesh Moudgil 2016-04-05T10:24:43Z https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876667#M155081 <P>Hello,</P> <P></P> <P>show run access-group:</P> <P><BR />access-group outside_access_in in interface outside<BR />access-group inside_in in interface inside</P> <P></P> <P>traceroute 192.168.2.1</P> <P>Type escape sequence to abort.<BR />Tracing the route to 192.168.2.1</P> <P>1 192.168.2.1 10 msec 0 msec 0 msec</P> <P></P> <P>Thanks,</P> <P></P> <P>Renato</P> <P></P> Tue, 05 Apr 2016 10:45:27 GMT https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876667#M155081 Renato Tuveri 2016-04-05T10:45:27Z https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876668#M155082 <P>Please share the output of&nbsp;<BR />show <G class="gr_ gr_32 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="32" data-gr-id="32">ip</G><BR /><G class="gr_ gr_43 gr-alert gr_gramm undefined Grammar multiReplace" id="43" data-gr-id="43">show</G> run route<BR />show&nbsp;access-list&nbsp;<BR /><BR /></P> <P>Regards,<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.</P> Tue, 05 Apr 2016 13:12:53 GMT https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876668#M155082 Dinesh Moudgil 2016-04-05T13:12:53Z https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876669#M155083 <P>show <G class="gr_ gr_14 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="14" data-gr-id="14">ip</G></P> <P>Interface Name IP address Subnet mask Method<BR />GigabitEthernet0/0 outside ****<G class="gr_ gr_16 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="16" data-gr-id="16">Pubblic</G> <G class="gr_ gr_17 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="17" data-gr-id="17">ip</G>*** 255.255.255.248 manual<BR />GigabitEthernet0/1 inside 192.168.66.1 255.255.255.0 manual<BR />GigabitEthernet0/2 office 192.168.1.238 255.255.255.0 manual<BR />GigabitEthernet0/3 <G class="gr_ gr_18 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="18" data-gr-id="18">vpn</G> 192.168.5.2 255.255.255.0 manual</P> <P></P> <P>show run route<BR />route outsideBA 0.0.0.0 0.0.0.0 80.71.19.214 1<BR />route office 192.168.2.0 255.255.255.0 192.168.2.1 1</P> <P></P> <P>show access-list<BR />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<BR />alert-interval 300<BR />access-list outside_access_in; 18 elements; name hash: 0x60092435<BR />access-list outside_access_in line 1 remark Allor ssh to BA London<BR />access-list outside_access_in line 2 extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_1 (hitcnt=184) 0x1b0c2864<BR />access-list outside_access_in line 2 extended permit tcp any eq 16022 192.168.66.0 255.255.255.0 eq ssh (hitcnt=1) 0xb9f3a481<BR />access-list outside_access_in line 2 extended permit tcp any eq 16022 host 192.168.66.160 eq ssh (hitcnt=0) 0x3e417c21<BR />access-list outside_access_in line 2 extended permit tcp any 192.168.66.0 255.255.255.0 eq ssh (hitcnt=183) 0x83d4a48a<BR />access-list outside_access_in line 2 extended permit tcp any host 192.168.66.160 eq ssh (hitcnt=0) 0xe8a3c0f7<BR />access-list outside_access_in line 3 remark Allow AIstore Cloud Mirror VPN<BR />access-list outside_access_in line 4 extended permit object 1195-dest any object-group DM_INLINE_NETWORK_2 log notifications interval 300 (hitcnt=1285) 0x3e72a4fc<BR />access-list outside_access_in line 4 extended permit udp any 192.168.66.0 255.255.255.0 eq 1195 log notifications interval 300 (hitcnt=1285) 0x5d0b3fe2<BR />access-list outside_access_in line 4 extended permit udp any host 192.168.66.170 eq 1195 log notifications interval 300 (hitcnt=0) 0xd9fdef26<BR />access-list outside_access_in line 5 extended permit udp any host 192.168.66.170 eq 1195 (hitcnt=0) 0xd9fdef26<BR />access-list outside_access_in line 6 extended permit udp host 192.168.66.170 any eq 1195 (hitcnt=0) 0x32c8ee84<BR />access-list outside_access_in line 7 remark NAT for BA London HTPPS/HTTP/SMTP<BR />access-list outside_access_in line 8 extended permit object-group DM_INLINE_SERVICE_2 any object-group DM_INLINE_NETWORK_3 (hitcnt=3523) 0x7ab78e2b<BR />access-list outside_access_in line 8 extended permit tcp any 192.168.66.0 255.255.255.0 eq www (hitcnt=0) 0x5c9d5b78<BR />access-list outside_access_in line 8 extended permit tcp any host 192.168.66.160 eq www (hitcnt=0) 0xc3c067d0<BR />access-list outside_access_in line 8 extended permit udp any 192.168.66.0 255.255.255.0 eq www (hitcnt=0) 0x61a77cc7<BR />access-list outside_access_in line 8 extended permit udp any host 192.168.66.160 eq www (hitcnt=0) 0xa7c94c8f<BR />access-list outside_access_in line 8 extended permit tcp any 192.168.66.0 255.255.255.0 eq https (hitcnt=3096) 0x5372ab57<BR />access-list outside_access_in line 8 extended permit tcp any host 192.168.66.160 eq https (hitcnt=0) 0x883d395a<BR />access-list outside_access_in line 8 extended permit tcp any 192.168.66.0 255.255.255.0 eq smtp (hitcnt=258) 0x787c50ac<BR />access-list outside_access_in line 8 extended permit tcp any host 192.168.66.160 eq smtp (hitcnt=0) 0x5c6dd0a6</P> <P></P> <P>Regards,</P> <P></P> <P>Renato</P> <P></P> <P></P> <P></P> Tue, 05 Apr 2016 13:38:16 GMT https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876669#M155083 Renato Tuveri 2016-04-05T13:38:16Z https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876670#M155084 <P>Your route statements <G class="gr_ gr_31 gr-alert gr_gramm undefined Grammar multiReplace" id="31" data-gr-id="31">points</G> the packets at 192.168.2.1 and the routing output shows the next hop as 192.168.12.1 which is contradictory</P> <P>route office 192.168.2.0 255.255.255.0 <STRONG>192.168.2.1&nbsp;</STRONG></P> <P>S 192.168.2.0 255.255.255.0 [1/0] via <STRONG>192.168.12.1,</STRONG> office</P> <P>Moreover, why is the next hop for "office" interface set up for 192.168.2.1 (not in the subnet of interface address i.e. 192.168.1.238 )</P> <P></P> <P>Regards,<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.<BR /><BR /></P> Wed, 06 Apr 2016 00:48:16 GMT https://community.cisco.com/t5/network-security/asa-interface-traffic-on-2-different-subnet/m-p/2876670#M155084 Dinesh Moudgil 2016-04-06T00:48:16Z