11-30-2020 10:03 PM
Hi everyone.
I am setting up a new Cisco ASA 5516-X and have a problem.
I have the ASA connected to two LANs (no internet connection)
interface inside - 10.50.0.1
interface tun - 10.1.200.18 (point-to-point network between 2 ASAs to route between branches, the next hop is 10.1.200.17)
There is no ping between them.
When I am trying to ping 10.1.200.18 (and everything behind it) I get an error:
r5516# packet-tracer input inside icmp 10.50.0.1 8 0 10.1.20.18 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.1.200.17 using egress ifc tun Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: tun output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
It seems that my traffic is blocked by implicit rule "deny all"
But I sort of have all the ACLs needed though...
!
interface GigabitEthernet1/1.17
vlan 17
nameif tun
security-level 100
ip address 10.1.200.18 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.50.0.1 255.255.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.200.17, tun
C 10.1.200.16 255.255.255.252 is directly connected, tun
L 10.1.200.18 255.255.255.255 is directly connected, tun
...
C 10.50.0.0 255.255.0.0 is directly connected, inside
L 10.50.0.1 255.255.255.255 is directly connected, inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any tun
icmp permit any echo tun
icmp permit any echo-reply tun
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
# show running-config access-list
access-list outbound extended permit icmp any any
access-group outbound in interface inside
access-group outbound out interface inside
access-group outbound in interface tun
access-group outbound out interface tun
access-group outbound global
I`ve tried to delete all the ACL and lower security level on interface tun - no luck.
Have no nat since don`t need internet access and all the networks are known between routers, there are routes...
Thanks in advance for any assistance!
Solved! Go to Solution.
12-01-2020 01:24 AM
You are just testing it in a wrong way (for the inner working of the ASA). Do a real test from an inside PC or use packet-tracer with the source-IP of an inside PC and not the ASAs inside IP address.
12-01-2020 01:24 AM
You are just testing it in a wrong way (for the inner working of the ASA). Do a real test from an inside PC or use packet-tracer with the source-IP of an inside PC and not the ASAs inside IP address.
12-15-2020 05:43 AM
Karsten, you were right! I just had no physicall access to 'inside' network so I couldn`t try it for real. But when I finally tried to ping outside networks from a real PC it worked! Thanks a lot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide