cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


145
Views
0
Helpful
6
Replies
Beginner

Allow traffic through ASA

Hello,

 

Our core switch routes all traffic to our Cisco ASA 5520.  We have point of sale stations that are being set up for credit card transactions.  In order to complete that setup, our workstations need to be able to communicate with two addresses: 63.111.40.6 and 209.235.25.1.  When I do a trace route from the point of sale to one of those addresses, it recognizes the first hop which is a VLAN Interface on our core, but then times out.

 

Can someone confirm that means the traffic is being dropped at the ASA and not the core?

 

What permit statements would I need to configure on the ASA?  Below are commands that I've tried to no avail:

 

access-list inside_access_in remark permit for Hort POS to access TPOSN

access-list inside_access_in extended permit ip any object-group TPOSN_ALLOW

access-list inside_access_in extended permit tcp any object-group TPOSN_ALLOW

 

access-list outside_access_in remark allow TPOSN to talk to Hort POS

access-list outside_access_in extended permit ip object-group TPOSN_ALLOW object-group HORT_POS

access-list outside_access_in extended permit tcp object-group TPOSN_ALLOW object-group HORT_POS

 

TPOSN_ALLOW is an object group that represents 63.111.40.6 and 209.235.25.1

HORT_POS is an object group that represents the Point of Sale stations

 

Any assistance is appreciated.  I am pretty green when it comes to configuring Cisco security appliances.

 

Thank you,

 

Tony

6 REPLIES 6
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Allow traffic through ASA

Hi Tony,

Traceroute through the ASA is not permitted as default, this link here explains how to configure it.

HTH

Beginner

Re: Allow traffic through ASA

Ok, I enabled it on the ASA, and it now shows as a hop in my tracert output.  Beyond that, it times out.  I think this reinforces that traffic is being dropped at the ASA.  Would you be able to offer any insight on the proper permit statement(s)?

 

Thank you for your post.

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Allow traffic through ASA

Do you have static NAT defined for each of the POS?
If you enable - "debug icmp trace" and then ping one of the destination endpoints, please post the output
Beginner

Re: Allow traffic through ASA

The POS stations have MAC address reservations on our DHCP server.  I ran the debug command and the ping from the ASA.  Please let me know if that isn't correct.  The POS is 10.30.144.146.  Below is the output:

 

ICMP echo reply from 10.30.144.146 to 10.30.1.1 ID=38631 seq=15526 len=72
ICMP echo request from 10.30.1.1 to 10.30.144.146 ID=38631 seq=15526 len=72
ICMP echo reply from 10.30.144.146 to 10.30.1.1 ID=38631 seq=15526 len=72
ICMP echo request from dmz:10.51.2.210 to inside:accdc3 ID=50182 seq=26560 len=0
ICMP echo request from dmz:10.51.2.210 to inside:auburn-dc2 ID=11283 seq=26561 len=0
ICMP echo reply from inside:accdc3 to dmz:10.51.2.210 ID=50182 seq=26560 len=0
ICMP echo reply from inside:auburn-dc2 to dmz:10.51.2.210 ID=11283 seq=26561 len=0
ICMP echo request from dmz:accdc1 to inside:accdc3 ID=512 seq=16640 len=1
ICMP echo reply from inside:accdc3 to dmz:accdc1 ID=512 seq=16640 len=1
ICMP echo request from dmz:accdc1 to inside:auburn-dc2 ID=512 seq=16896 len=1
ICMP echo reply from inside:auburn-dc2 to dmz:accdc1 ID=512 seq=16896 len=1
ICMP echo request from dmz:accdc1 to inside:10.30.8.20 ID=512 seq=17152 len=1
ICMP echo reply from inside:10.30.8.20 to dmz:accdc1 ID=512 seq=17152 len=1

 

 

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Allow traffic through ASA

Thanks, but I was referring to the new destination IP addresses - 63.111.40.6 and 209.235.25. Ping from your POS to those addresses.

I assume you have NAT setup for them?
Beginner

Re: Allow traffic through ASA

Hello

The new output is below.  10.30.144.146 is the address I am pinging from.   I do not have NAT set up for the destination addresses.

 

asa# debug icmp trace
debug icmp trace enabled at level 1
accasa# ICMP echo request from inside:10.30.144.146 to outside:209.235.25.1 ID=1
seq=226 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30554 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30554 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30556 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30556 len=32
ICMP echo request from inside:10.30.202.16 to outside:209.235.25.1 ID=1 seq=3055
7 len=32
ICMP echo request from inside:10.30.144.146 to outside:63.111.40.6 ID=1 seq=227
len=32
ICMP echo request from inside:10.30.202.16 to outside:63.111.40.6 ID=1 seq=30558
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30560 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30560 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30562 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30562 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30564 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30564 len=32
ICMP echo request from dmz:10.51.2.210 to inside:accdc3 ID=18671 seq=30902 len=0
ICMP echo request from dmz:10.51.2.210 to inside:auburn-dc2 ID=47704 seq=30903 l
en=0
ICMP echo reply from inside:accdc3 to dmz:10.51.2.210 ID=18671 seq=30902 len=0
ICMP echo reply from inside:auburn-dc2 to dmz:10.51.2.210 ID=47704 seq=30903 len
=0
ICMP echo request from dmz:accexsrv4 to inside:accdc3 ID=768 seq=16837 len=1
ICMP echo reply from inside:accdc3 to dmz:accexsrv4 ID=768 seq=16837 len=1
ICMP echo request from inside:10.30.144.146 to outside:209.235.25.1 ID=1 seq=228
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30566 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30566 len=32
ICMP echo request from inside:10.30.202.16 to outside:209.235.25.1 ID=1 seq=3056
7 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30569 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30569 len=32
ICMP echo request from inside:10.30.144.146 to outside:63.111.40.6 ID=1 seq=229
len=32
ICMP echo request from inside:10.30.202.16 to outside:63.111.40.6 ID=1 seq=30570
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30572 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30572 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30574 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30574 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30576 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30576 len=32
ICMP echo request from dmz:10.51.2.210 to inside:accdc3 ID=25329 seq=30904 len=0
ICMP echo request from dmz:10.51.2.210 to inside:auburn-dc2 ID=28447 seq=30905 l
en=0
ICMP echo reply from inside:accdc3 to dmz:10.51.2.210 ID=25329 seq=30904 len=0
ICMP echo reply from inside:auburn-dc2 to dmz:10.51.2.210 ID=28447 seq=30905 len
=0
ICMP echo request from inside:10.30.144.146 to outside:209.235.25.1 ID=1 seq=230
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30578 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30578 len=32
ICMP echo request from inside:10.30.202.16 to outside:209.235.25.1 ID=1 seq=3057
9 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30581 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30581 len=32
ICMP echo request from inside:10.30.144.146 to outside:63.111.40.6 ID=1 seq=231
len=32
ICMP echo request from inside:10.30.202.16 to outside:63.111.40.6 ID=1 seq=30582
len=32
ICMP echo request from dmz:accexsrv4 to inside:accdc3 ID=768 seq=17093 len=1
ICMP echo reply from inside:accdc3 to dmz:accexsrv4 ID=768 seq=17093 len=1
ICMP echo request from dmz:accexsrv4 to inside:accdc3 ID=768 seq=17349 len=1
ICMP echo reply from inside:accdc3 to dmz:accexsrv4 ID=768 seq=17349 len=1
ICMP echo request from dmz:accexsrv4 to inside:accdc3 ID=768 seq=17605 len=1
ICMP echo reply from inside:accdc3 to dmz:accexsrv4 ID=768 seq=17605 len=1
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30584 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30584 len=32
ICMP echo request from dmz:accdc1 to inside:auburn-dc2 ID=512 seq=28682 len=1
ICMP echo reply from inside:auburn-dc2 to dmz:accdc1 ID=512 seq=28682 len=1
ICMP echo request from dmz:accdc1 to inside:auburn-dc2 ID=512 seq=28938 len=1
ICMP echo reply from inside:auburn-dc2 to dmz:accdc1 ID=512 seq=28938 len=1
ICMP echo request from dmz:accdc1 to inside:10.30.8.20 ID=512 seq=29194 len=1
ICMP echo reply from inside:10.30.8.20 to dmz:accdc1 ID=512 seq=29194 len=1
ICMP echo request from dmz:accexsrv4 to inside:10.30.8.20 ID=768 seq=17861 len=1
ICMP echo reply from inside:10.30.8.20 to dmz:accexsrv4 ID=768 seq=17861 len=1
ICMP echo request from dmz:accexsrv4 to inside:accdc3 ID=768 seq=18117 len=1
ICMP echo reply from inside:accdc3 to dmz:accexsrv4 ID=768 seq=18117 len=1
ICMP echo request from dmz:accexsrv4 to inside:auburn-dc2 ID=768 seq=18373 len=1
ICMP echo reply from inside:auburn-dc2 to dmz:accexsrv4 ID=768 seq=18373 len=1
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30586 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30586 len=32
ICMP echo request from dmz:10.51.2.210 to inside:accdc3 ID=25433 seq=30906 len=0
ICMP echo request from dmz:10.51.2.210 to inside:auburn-dc2 ID=5192 seq=30907 le
n=0
ICMP echo reply from inside:accdc3 to dmz:10.51.2.210 ID=25433 seq=30906 len=0
ICMP echo reply from inside:auburn-dc2 to dmz:10.51.2.210 ID=5192 seq=30907 len=
0
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30587 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30587 len=32
ICMP echo request from inside:10.30.144.146 to outside:209.235.25.1 ID=1 seq=232
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30589 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30589 len=32
ICMP echo request from dmz:accdc1 to inside:auburn-dc2 ID=512 seq=29450 len=32
ICMP echo reply from inside:auburn-dc2 to dmz:accdc1 ID=512 seq=29450 len=32
ICMP echo request from dmz:accdc1 to inside:10.30.8.20 ID=512 seq=29706 len=32
ICMP echo reply from inside:10.30.8.20 to dmz:accdc1 ID=512 seq=29706 len=32
ICMP echo request from inside:10.30.202.16 to outside:209.235.25.1 ID=1 seq=3059
1 len=32
ICMP echo request from inside:10.30.144.146 to outside:63.111.40.6 ID=1 seq=233
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30593 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30593 len=32
ICMP echo request from inside:10.30.202.16 to outside:63.111.40.6 ID=1 seq=30594
len=32
ICMP echo request from dmz:accdc1 to inside:auburn-dc2 ID=512 seq=29962 len=1
ICMP echo reply from inside:auburn-dc2 to dmz:accdc1 ID=512 seq=29962 len=1
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30595 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30595 len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30598 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30598 len=32
ICMP echo request from dmz:10.51.2.210 to inside:accdc3 ID=56307 seq=30908 len=0
ICMP echo request from dmz:10.51.2.210 to inside:auburn-dc2 ID=15525 seq=30909 l
en=0
ICMP echo reply from inside:accdc3 to dmz:10.51.2.210 ID=56307 seq=30908 len=0
ICMP echo reply from inside:auburn-dc2 to dmz:10.51.2.210 ID=15525 seq=30909 len
=0
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30599 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30599 len=32
ICMP echo request from inside:10.30.144.146 to outside:209.235.25.1 ID=1 seq=234
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30602 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30602 len=32
ICMP echo request from inside:10.30.202.16 to outside:209.235.25.1 ID=1 seq=3060
3 len=32
ICMP echo request from inside:10.30.144.146 to outside:63.111.40.6 ID=1 seq=235
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30605 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30605 len=32
ICMP echo request from inside:10.30.202.16 to outside:63.111.40.6 ID=1 seq=30606
len=32
ICMP echo request from dmz:accdc1 to inside:10.30.8.20 ID=512 seq=30218 len=1
ICMP echo reply from inside:10.30.8.20 to dmz:accdc1 ID=512 seq=30218 len=1
ICMP echo request from dmz:accdc1 to inside:auburn-dc2 ID=512 seq=30474 len=1
ICMP echo reply from inside:auburn-dc2 to dmz:accdc1 ID=512 seq=30474 len=1
ICMP echo request from dmz:accdc1 to inside:accdc3 ID=512 seq=30730 len=1
ICMP echo reply from inside:accdc3 to dmz:accdc1 ID=512 seq=30730 len=1
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30607 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30607 len=32
ICMP echo request from dmz:accexsrv4 to inside:auburn-dc2 ID=768 seq=18629 len=1
ICMP echo reply from inside:auburn-dc2 to dmz:accexsrv4 ID=768 seq=18629 len=1
ICMP echo request from dmz:accexsrv4 to inside:accdc3 ID=768 seq=18885 len=1
ICMP echo reply from inside:accdc3 to dmz:accexsrv4 ID=768 seq=18885 len=1
ICMP echo request from dmz:accexsrv4 to inside:10.30.8.20 ID=768 seq=19141 len=1
ICMP echo reply from inside:10.30.8.20 to dmz:accexsrv4 ID=768 seq=19141 len=1
ICMP echo request from dmz:accdc1 to inside:accdc3 ID=512 seq=30986 len=1
ICMP echo reply from inside:accdc3 to dmz:accdc1 ID=512 seq=30986 len=1
ICMP echo request from dmz:accdc1 to inside:auburn-dc2 ID=512 seq=31242 len=1
ICMP echo reply from inside:auburn-dc2 to dmz:accdc1 ID=512 seq=31242 len=1
ICMP echo request from dmz:accdc1 to inside:10.30.8.20 ID=512 seq=31498 len=1
ICMP echo reply from inside:10.30.8.20 to dmz:accdc1 ID=512 seq=31498 len=1
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30610 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30610 len=32
ICMP echo request from dmz:10.51.2.210 to inside:accdc3 ID=8534 seq=30910 len=0
ICMP echo request from dmz:10.51.2.210 to inside:auburn-dc2 ID=43030 seq=30911 l
en=0
ICMP echo reply from inside:accdc3 to dmz:10.51.2.210 ID=8534 seq=30910 len=0
ICMP echo reply from inside:auburn-dc2 to dmz:10.51.2.210 ID=43030 seq=30911 len
=0
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30611 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30611 len=32
ICMP echo request from inside:10.30.144.146 to outside:209.235.25.1 ID=1 seq=236
len=32
ICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30613 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30613 len=32
uaICMP echo request from inside:10.30.202.16 to outside:209.235.25.1 ID=1 seq=30
615 len=32
lICMP echo request from inside:10.30.144.146 to outside:63.111.40.6 ID=1 seq=237
len=32
lICMP echo request from 10.30.202.16 to 10.30.1.1 ID=1 seq=30616 len=32
ICMP echo reply from 10.30.1.1 to 10.30.202.16 ID=1 seq=30616 len=32
ICMP echo request from inside:10.30.202.16 to outside:63.111.40.6 ID=1 seq=30618
len=32

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here