some trouble in configuring acl

yokaso007 · ‎02-01-2014

Hi, can someone help me in configuring acl on asa 5055.

i have inside network, outside network and third network. any time when i try to make connection betwwen to host in inside network with packettracer of the firewall i get this(see the image), can someone tell me why i getting that (message droped) ?

Marius Gunnerud · ‎02-01-2014

Without seeing your configuration, I assume that you inside subnet is a /24. If so, packets that are on the same subnet will never pass through the ASA as this traffic is handled only by switches. If the ASA sees this type of traffic it will assume it is a spoofed packet and it will be dropped. So this is completely normal behavior.

Now if these networks are on different subnets (ie. they are on a /28 network for example) then there might be a configuration problem. If this is the case please post a full sanitised running config of your ASA so we can help you further.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

yokaso007 · ‎02-02-2014

i have 03 network , the first :

1- the main network to protect it(inside): @IP 192.168.23.0/25

2-the outside network(internet): @IP 192.168.1.254/24

3- other network to connect with it : @IP 10.66.0.200/27

for exemple with this configuration, when i send an http packet from 192.168.23.23 to 192.168.23.33 it droped.?

PS , i created a rule to permit http from any to any in inside.

Marius Gunnerud · ‎02-02-2014

for exemple with this configuration, when i send an http packet from 192.168.23.23 to 192.168.23.33 it droped.?

This traffic will never hit the ASA, this is most likely an issue either with the host machines themselves or perhaps a misconfiguration of the switch between them.

Are these windows machines? If so have you tried disabling the windows firewall and test to see if traffic is permitted then? Perhaps if there is an antivus software installed on them that has a built in firewall that is blocking traffic. I have had some cases (especially with McAfee) where this is the case.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Julio Carvajal · ‎02-01-2014

Hello .

As Marius said traffic on the same subnet should never reach the firewall but if they were on different subnets or u need U-turn.

same security permit intra-interface
If an ACL is configured on the Inside, Allow the traffic there
Before 8.3 regularly a Global NAT

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎02-02-2014

Hello,

192.168.23.23 to 192.168.23.33 it droped.?

No, they are on the same subnet so the firewall should not see that traffic.

In fact if you do a capture on the ASA itself while you generate the traffic you should not capture any data.

Traffic withing the same subnet should be L2 switched only

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC