02-01-2014 04:52 AM - edited 03-11-2019 08:38 PM
Hi, can someone help me in configuring acl on asa 5055.
i have inside network, outside network and third network. any time when i try to make connection betwwen to host in inside network with packettracer of the firewall i get this(see the image), can someone tell me why i getting that (message droped) ?
02-01-2014 08:17 AM
Without seeing your configuration, I assume that you inside subnet is a /24. If so, packets that are on the same subnet will never pass through the ASA as this traffic is handled only by switches. If the ASA sees this type of traffic it will assume it is a spoofed packet and it will be dropped. So this is completely normal behavior.
Now if these networks are on different subnets (ie. they are on a /28 network for example) then there might be a configuration problem. If this is the case please post a full sanitised running config of your ASA so we can help you further.
--
Please remember to rate and select a correct answer
02-02-2014 02:07 AM
i have 03 network , the first :
1- the main network to protect it(inside): @IP 192.168.23.0/25
2-the outside network(internet): @IP 192.168.1.254/24
3- other network to connect with it : @IP 10.66.0.200/27
for exemple with this configuration, when i send an http packet from 192.168.23.23 to 192.168.23.33 it droped.?
PS , i created a rule to permit http from any to any in inside.
02-02-2014 02:29 AM
for exemple with this configuration, when i send an http packet from 192.168.23.23 to 192.168.23.33 it droped.?
This traffic will never hit the ASA, this is most likely an issue either with the host machines themselves or perhaps a misconfiguration of the switch between them.
Are these windows machines? If so have you tried disabling the windows firewall and test to see if traffic is permitted then? Perhaps if there is an antivus software installed on them that has a built in firewall that is blocking traffic. I have had some cases (especially with McAfee) where this is the case.
--
Please remember to rate and select a correct answer
02-01-2014 07:31 PM
Hello .
As Marius said traffic on the same subnet should never reach the firewall but if they were on different subnets or u need U-turn.
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-02-2014 10:11 PM
Hello,
192.168.23.23 to 192.168.23.33 it droped.?
No, they are on the same subnet so the firewall should not see that traffic.
In fact if you do a capture on the ASA itself while you generate the traffic you should not capture any data.
Traffic withing the same subnet should be L2 switched only
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: