problem with traffic flow between interfaces on ASA 520

Dave Kozlowski · ‎09-25-2014

I have an ASA 5520 inside a DMZ.

On the internal interface to my lab I see HITS on the interface Access Rules, which are set to ANY-ANY

On the external interface to the Production ASA I see very few HITS. Same access rules ANY-ANY

Both sets of rules pass packet tracing.

On my LAB switch that connects the internal interface I can ping the Production ASA internal interface.

So there seems to be some traffic passing.

Any type of help is appreciated.

Pedro Lereno · ‎09-26-2014

Hi,

If from inside your lab you can ping the internal interface of the Production ASA, you must have a rule on this ASA to permit icmp echo messages from your lab (dmz) to this interface (high security zone).

Could you explain what you need to access and is not working? If possible with part of the configuration on both ASAs?

Best regards,

Pedro Lereno

Dave Kozlowski · ‎09-26-2014

Pedro,

I am trying to get systems inside the DMZ system connected to the internet. From a server inside the net I can get to my internal DMZ network , can ping to the internal interface of the production ASA but can ping outside. Example 8.8.8.8 (google). Also within a Windows server the network map won't go past the network. It goes red for the internet flow.

I will see if adding ICMP echo to my rules on my asa does anything.

thanks and will keep you posted.

Dave

Pedro Lereno · ‎09-26-2014

Hi Dave,

Does the ASA Lab has a default route to ASA Production to access the internet?

Do you have NAT on ASA Lab?

Does the ASA Production has a route to the lab network (supposing the ASA lab is working in routed mode and not bridged)?

Regards,

Pedro Lereno