topic This is pretty much all I in Network Security

Failing communication b/w networks

S891 — Tue, 12 Mar 2019 05:55:47 GMT

I am facing an issue with connectivity between two networks. It seems simple but user is complaining that servers between the VLANs are not communicating (only ICMP is working but nothing else).

I cannot seem to find any issue with the below config. May be anyone can see anything missing. There is no NATTING configured. There are 6 networks that need to communicate with each other except for ICMP. I am showing just two here but it is the same for all.

interface Vlan360
nameif PUB-SERVERS
security-level 40
ip address 100.1.38.97 255.255.255.224 standby 100.1.38.98
!
interface Vlan361
nameif PUB-USERS
security-level 30
ip address 100.1.40.225 255.255.255.224 standby 100.1.40.226

object-group network NETWORKS
network-object 100.1.40.224 255.255.255.224
network-object 100.1.38.96 255.255.255.224

object-group network NETWORKS2
network-object 100.1.40.224 255.255.255.224
network-object 100.1.38.96 255.255.255.224

access-list PUB-SERVERS_IN extended permit ip object-group NETWORKS object-group NETWORKS2
access-list PUB-SERVERS_IN extended permit icmp object-group NETWORKS object-group NETWORKS2
access-list PUB-USERS_IN extended permit ip object-group NETWORKS object-group NETWORKS2
access-list PUB-USERS_IN extended permit icmp object-group NETWORKS object-group NETWORKS2

access-group PUB-SERVERS_IN in interface PUB-SERVERS
access-group PUB-USERS_IN in interface PUB-USERS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

hi fawad,can you post the

fatalXerror — Wed, 13 May 2015 15:25:12 GMT

hi fawad,

can you post the whole config for us to assess further?

thanks.

This is pretty much all I

S891 — Wed, 13 May 2015 19:07:48 GMT

This is pretty much all I have for these two networks. Now does it matter that I have same subnets listed in the object groups for source and destination. Actually I have six subnets that all need to talk to each other. I created two object-group and put all six networks in them but named these object groups differently. I did not see any error message when applying ACL so i assume this was valid.

There is nothing else I have on firewall relevant to these networks. The firewall is working fine otherwise with no issues.

Hi

Henrik Grankvist — Wed, 13 May 2015 19:43:57 GMT

Why do you have both networks in both object-groups? I don't know if it would create a problem, but it doesn't make sence. What you should do instead:

object network PUB-SERVERS
subnet 100.1.38.96 255.255.255.224

object network PUB-USERS
subnet 100.1.40.224 255.255.255.224

access-list PUB-SERVERS_IN permit ip object PUB-SERVERS object PUB-USERS
access-list PUB-SERVERS_IN permit icmp object PUB-SERVERS object PUB-USERS

access-list PUB-USERS_IN permit ip object PUB-USERS object PUB-SERVERS
access-list PUB-USERS_IN permit icmp object PUB-USERS object PUB-SERVERS

access-group PUB-SERVERS_IN in interface PUB-SERVERS
access-group PUB-USERS_IN in interface PUB-USERS

When you have changed that, and it still doesn't work, try packet-tracer:

packet-tracer input PUB-USERS tcp 100.1.40.226 45644 100.1.38.96 45
packet-tracer input PUB-SERVERS tcp 100.1.38.96 45644 100.1.40.226 45

And then post the output here.