topic Re: ASA routing between two interfaces not working in Network Security

ASA routing between two interfaces not working

ed3 — Fri, 21 Feb 2020 16:25:39 GMT

Ok, this is my first venture to the cisco boards to ask a question.

I have an issue where I have 2 subinterfaces on an ASA with the same security level (100) and same-security-traffic permit inter-interface, same-security-traffic permit intra-interface both configured.

There is a NAT entry for the above:

nat (default_dhcp,inside) source static net-default_dhcp net-default_dhcp destination static net-itservers net-itservers

default_dhcp is the interface name with net-default_dhcp as the network object on that interface

inside is the interface with net-itservers.

however, net-itservers can ping and get a general response from net-default_dhcp but not the other way round although I cannot see anything in the config that would be uni-directional regarding these two network object or the interfaces they reside on.

I also have a secondary issue whereby the net-grp-fortiSSL (SSL clients from an external 3rd party firewall using the same tunnel as net-grp-ielmk and net-grp-uklon use) cannot gain access to either of the subnets above, I'm gathering that the two issues may be related.

Any suggestions?

Thanks in advance

ed3

Re: ASA routing between two interfaces not working

Dennis Mink — Fri, 02 Nov 2018 12:40:36 GMT

Run the packet tracer tool in ASDM to see if the packet is getting permitted.it will check ACLs, NAT and routes.

Re: ASA routing between two interfaces not working

mkazam001 — Sat, 03 Nov 2018 19:59:39 GMT

Or from the CLI:

packet tracer input deafult_dhcp tcp IP-A 12345 IP-B 80 det
where IP-A is from object net-default_dhcp
& IP-B is from object net-itservers

You only need this command as they are 2 different interfaces:

same-security-traffic permit inter-interface

If you have any ACLs, they will override the security-levels.

You can check with sh run access-group cmd.

Regards,

Azam