04-25-2018 10:08 AM
Hello,
Our core switch routes all traffic to our Cisco ASA 5520. We have point of sale stations that are being set up for credit card transactions. In order to complete that setup, our workstations need to be able to communicate with two addresses: 63.111.40.6 and 209.235.25.1. When I do a trace route from the point of sale, it recognizes the first hop which is a VLAN Interface on our core, but then times out.
Can someone confirm that means the traffic is being dropped at the ASA and not the core?
What permit statements would I need to configure on the ASA? Below are commands that I've tried to no avail:
access-list inside_access_in remark permit for Hort POS to access TPOSN
access-list inside_access_in extended permit ip any object-group TPOSN_ALLOW
access-list inside_access_in extended permit tcp any object-group TPOSN_ALLOW
access-list outside_access_in remark allow TPOSN to talk to Hort POS
access-list outside_access_in extended permit ip object-group TPOSN_ALLOW object-group HORT_POS
access-list outside_access_in extended permit tcp object-group TPOSN_ALLOW object-group HORT_POS
TPOSN_ALLOW is an object group that represents 63.111.40.6 and 209.235.25.1
HORT_POS is an object group that represents the Point of Sale stations
Any assistance is appreciated. I am pretty green when it comes to configuring Cisco security appliances.
Thanks,
Tony
04-25-2018 11:00 AM
capture asp type asp-drop
then check capture with command
show capture asp
to check and see if your traffic is getting dropped to host 63.111.40.6 or 209.235.25.1
can also run
packet-tracer input <insert interface inside nameif> tcp 10.10.10.10 22 63.111.40.6 22 detail
to check and see if traffic is allowed or dropped by ACL / NAT
PS: Please replace 10.10.10.10 with your inside IP host address,
You are looking for something like this at the end:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
04-25-2018 12:49 PM
Hello,
These are the results from the first commands:
accasa# capture asp type asp-drop
accasa# show capture asp
0 packet captured
0 packet shown
accasa#
These are the results from the packet-tracer commands:
packet-tracer input inside tcp 10.30.144.6 22 63.111.40.6 22 detail
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
packet-tracer input outside tcp 10.30.144.6 22 63.111.40.6 22 detail
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
04-25-2018 08:12 PM
Try the private IP as destination instead of the public IP in the second packet tracer.
04-26-2018 05:09 AM
packet-tracer input outside tcp 10.30.144.6 22 63.111.40.6 22 detail
This will fail as Source-address 10.30.144.6 is associated with inside address and traffic per command is originating from outside. You can try it by reversing the IP addresses.
packet-trace input outside tcp 63.111.40.6 22 10.30.144.6 22 detail.
Another thing you can try is capture command on Inside interface and also on outside interface.
capture CapInside interface inside match ip any host 63.111.40.6
capture CapOutside interface outside match ip host 63.111.40.6 any
Then initiate traffic from client and check the capture
Show capture CapInside
Show capture CapOutside
Do you see traffic headed out on CapInside, if yes then the issue is not the core, if no traffic then its the core or the client. If traffic is coming back from remote IP then issue is not within the ASA.
Do you see traffic going out on CapOutside to remote IP ?, do you see response coming back from the Remote IP ? If traffic is going out but not coming back then the issue is remote site, if traffic is coming back but not making it to the CapInside then issue is on the ASA.
You may have to repeat the capture for your other public IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide