https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208233#M876442 <HTML><HEAD></HEAD><BODY><P>Why do you have 3 ACL's applied to the inside interface and 2 applied to the DMZ?</P><P></P><P>access-group Core_access_in_1 in interface Core control-plane</P><P>access-group outside-in-acl in interface Core</P><P>access-group Core_access_out out interface Core</P><P>access-group outside-in-acl in interface DMZ</P><P>access-group DMZ_access_out out interface DMZ</P></BODY></HTML> Fri, 13 Feb 2009 16:13:17 GMT eddie.mitchell 2009-02-13T16:13:17Z https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208232#M876441 <P>Hi</P><P></P><P>I am having issues with routing on 2 ASA 5520 and wondering if anyone can help.</P><P></P><P>Attached is some of the running config.</P><P></P><P>The setup is basically 2 asa 5520s running in a active/active configuration.</P><P></P><P>3 out of the four interfaces are used and one for failover between each box.</P><P></P><P>I have an interface dedicated to each zone as such:</P><P></P><P>Core (inside) 10.1.0.0</P><P>DMZ 10.8.0.0</P><P>Outside 11.1.0.0</P><P></P><P>Now I have been trying to enable routing between the inside interface and the DMZ, and vice versa.</P><P></P><P>For example I would like a host in the inside zone to be able to ping a host in the DMZ.</P><P></P><P>I have added exception for ICMP and also allow it both ways. To which it doesn't appear to work, also tried the same but for a host inside to connect to a web server in the dmz.</P><P></P><P>Everytime I run the packet trace wizard in the ASDM it is almost like the ACL rules and not being picked up and am told that the implicit deny is causing the packet to be dropped?</P><P></P><P>I have tried many combinations of nat exemptions and acl rules</P><P></P><P>Any ideas?</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 14:50:12 GMT https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208232#M876441 asecisco1 2019-03-11T14:50:12Z https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208233#M876442 <HTML><HEAD></HEAD><BODY><P>Why do you have 3 ACL's applied to the inside interface and 2 applied to the DMZ?</P><P></P><P>access-group Core_access_in_1 in interface Core control-plane</P><P>access-group outside-in-acl in interface Core</P><P>access-group Core_access_out out interface Core</P><P>access-group outside-in-acl in interface DMZ</P><P>access-group DMZ_access_out out interface DMZ</P></BODY></HTML> Fri, 13 Feb 2009 16:13:17 GMT https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208233#M876442 eddie.mitchell 2009-02-13T16:13:17Z https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208234#M876443 <HTML><HEAD></HEAD><BODY><P>I believe the ASDM created them the first time I used it.</P></BODY></HTML> Fri, 13 Feb 2009 16:16:06 GMT https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208234#M876443 asecisco1 2009-02-13T16:16:06Z https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208235#M876444 <HTML><HEAD></HEAD><BODY><P>Verify your NAT rule or turn off the NATing from inside to DMZ.</P></BODY></HTML> Fri, 13 Feb 2009 22:43:11 GMT https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208235#M876444 boots 2009-02-13T22:43:11Z https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208236#M876445 <HTML><HEAD></HEAD><BODY><P>I have added a nat exmeption rule and tried specifying both explicit source and destinations ip addresses of the hosts as well as any any but still doesn't seem to route.</P></BODY></HTML> Mon, 16 Feb 2009 08:48:19 GMT https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208236#M876445 asecisco1 2009-02-16T08:48:19Z https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208237#M876446 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I belive the problem is with ACL "outside-in-acl". This has been applied to both the DMZ and Core interfaces. So you need to allow icmp echo and icmp echo-reply on this ACL ie</P><P></P><P>access-list outside-in-acl extended permit icmp any any echo</P><P>access-list outside-in-acl extended permit icmp any any echo-reply</P><P></P><P>Please try adding and let us know the result.</P><P></P><P></P><P>Regards</P></BODY></HTML> Mon, 16 Feb 2009 12:51:32 GMT https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208237#M876446 JamesLuther 2009-02-16T12:51:32Z https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208238#M876447 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I've tried to add that rule to any and all access-lists just in case and still get the same result.</P><P></P><P>If I used the built in packet inspection tool it seems that the implicit deny deny is causing the packet to be dropped.</P><P></P><P>I have also tried to follow the information on <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml</A></P><P></P><P>and still seem to end up with the same result.</P><P></P><P>Have you got any other sugesstions you could help with?</P></BODY></HTML> Mon, 16 Feb 2009 14:10:38 GMT https://community.cisco.com/t5/network-security/routing-problem-with-asa5520/m-p/1208238#M876447 asecisco1 2009-02-16T14:10:38Z