Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
5
Helpful
5
Replies

5506 Traffic not forwrding.

shoegal2008
Level 1
Level 1

‎06-04-2018 09:10 AM - edited ‎02-21-2020 07:50 AM

Hello,

i have a simple 5506 firewall setup with two interfaces, inside 172.19.0.2/24 and outside 10.10.10.1/24

a partner has their firewall in the outside subnet 10.10.10.100/24

I have one static route to reach my other internal subnets:

route inside 172.19.0.0/16 172.19.0.1

and NAT rules so my traffic to 10.10.10.0/24 is hidden behind the outside interface ip address. for specfic servers i have one-to one NATing.

i can manage the ASDM on a different internal subnet so i know it is routing. the partner can access the servers on my lan without a problem. however when i try to access server 10.10.10.10 (inside to outside) i do not get a reply. i see the reply on the ASDM logs being allowed through the ACL's but when i run a wireshark on my PC there is no traffic reaching my PC.

Any ideas?

Labels:
0 Helpful
5 Replies 5

Jewgeni Uschegow
Level 1
Level 1

‎06-04-2018 12:53 PM

Hi,

 

I can not understand, why you configured the route 

>route inside 172.19.0.0/16 172.19.0.1

 

If I'm not mistaken 172.19.0.0/24 is the subnet from 172.16.0.0/16. I would be configure the inside with ip 172.19.0.2/16.

Can you show your NAT configuration und write please ip from tests pc.

 

Best regards

0 Helpful

shoegal2008
Level 1
Level 1
In response to Jewgeni Uschegow

‎06-05-2018 01:53 AM

Hello, sorry that route was a typo. The firewall is configured with 1 static route is 0.0.0.0 0.0.0.0 172.19.0.1 on the inside

 

the below is my NAT config:

 

nat (Inside,Outside) source static Int_VDI Ext_VDI
nat (Inside,Outside) source static Int_ACS Ext_ACS
!
nat (Inside,Outside) after-auto source dynamic Int_Networks interface

 

Int_VDI 172.19.0.5 , Ext_VDI 10.10.10.5

Int_ACS 172.19.0.6 , Ext_ACS 10.10.10.6

 

Int_Networks 172.19.0.0 255.255.0.0 NATed to outside interface 10.10.10.1

 

0 Helpful

Florin Barhala
Level 6
Level 6
In response to shoegal2008

‎06-05-2018 05:00 AM

Did you add "inspect icmp" in your service policy config?
0 Helpful

shoegal2008
Level 1
Level 1
In response to Florin Barhala

‎06-05-2018 06:34 AM

Yes that is enabled. The partner can ping and access resources from their side but i'm unable to do anything my side. When i try to ping the outside interface of the ASA from the inside i get:

 

Failed to locate egress interface for ICMP from Inside

 

Does this matter?

0 Helpful

Jewgeni Uschegow
Level 1
Level 1
In response to shoegal2008

‎06-05-2018 09:27 AM

Hi,

 

can you show me your ACL on inside and outside?

Did you try to use Packet Tracer?

 

Best regard

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card