ASA 5516 No Internal Network Access

ricsysadmin · ‎12-18-2015

Good morning,

I have 2 5516-x's in place at one of our remote locations, site C. This site is a failover site. Well, not at the moment because the site to site tunnels do not allow internal network access. Both site A and site B connect to site C but from either site I cannot access the internal network of site C. There is a new NAS at site C that I can access via HTTP. However, I was only able to access it after enabling DHCP on the ASA. I cannot ping or connect to anything else on the network there. I have purchased a SmartNet contract but have not yet received any information on it from Cisco.

Needless to say my failover is in jeopardy. Replication is in critical condition. I am at a loss as to what I am missing here.

I have attached the sh IPsec sa and the running-config from the box and would appreciate any and all assistance I receive!

Thank you in advance!!

Stephanie

Maykol Rojas · ‎12-18-2015

Hello;

If you are able to access at least one resource from site C, it means the tunnel is fine. Now, if you do a show arp on the ASA, do you see any other devices? Can you ping them? Also, try to do a packet tracer for a responding host to a host on site A.

packet-tracer input inside tcp x.x.x.x 1025 host b.b.b.b 80

Lets see what we pick from there.

Mike.

Mike

ricsysadmin · ‎12-18-2015

Thank you Maykol for the response! Show arp brings back the outside gateway and the NAS that I can connect to, no other devices. I have attached the packet tracer.

Thanks again!

Stephanie

Maykol Rojas · ‎12-18-2015

Well, this is actually good. Do know any other devices that must be up on that subnet?

Prior trying to ping the devices there that you know that are up, can you do a clear ARP? Then try to ping the hosts you know are up and do a show ARP again.

Mike.

Mike

ricsysadmin · ‎12-18-2015

I am not able to ping anything internally. No servers or switches. I can't even ping the ASA. However, I know they are up because I contacted the data center for confirmation. They are running anyway.

I did a clear arp and then a sh arp and received the same from the device that I had previously.

Thank you

Stephanie

Maykol Rojas · ‎12-18-2015

Stephanie;

Awesome, is this a new site? If you are not able to see the ARP of other devices then it means that probably something else is preventing the communication.

Well, for troubleshooting you could put capture to see the ASA sending an ARP request for the IP you want to ping, but that would only confirm what we are seeing. The fact you can ping the NAS, makes me believe is no the ASA.

You not being able to ping the ASA is somewhat normal, there is an extra command that needs to be put on the Firewall to allow it.

Mike.

Mike

ricsysadmin · ‎12-18-2015

It is not a new site but new ASA's. We put them in, got access to the Internet and came home. The configurations could be made from here. Looks like that is not the case.

Do you have any ideas where to look now? Is there anything I can do to nail down where the problem is?

You are saying it isn't a problem with the configuration of the device, correct? There are no settings that I can change to gain access to the devices internal to the site?

I am new to the ASA world. What I have learned has been by trial.

Thanks

Stephanie

Maykol Rojas · ‎12-18-2015

Correct, there is nothing on the configuration that would cause this behavior. All of the stuff im thinking are in direct relation with accessing the switch where the firewall is configured.

Cheers;

MrMike&Watch.

Mike