Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
4
Replies

ASA inside <----> outside not working

Caue W
Level 1
Level 1

‎06-06-2016 09:07 AM - edited ‎03-12-2019 12:51 AM

Guys, I´m new to ASA FW, Im facing some difficults to get it work correctly.

Issue is, this was moved by customer and he has no documentation at all. All cables everything was disconnected.

Anyway, right now I cabled it like this:

SWITCH  <-------> FIREWALL INSIDE (G0/0 - BVI1) <-----> FIREWALL OUTSIDE (G0/1 -BVI1) <-----> ROUTER INTERNET

Ping tests:

Firewall (BVI1 - 192.168.100.3) - Switch (192.168.100.6) - OK

Firewall - Router (192.168.100.1) - OK

Firewall - Internet (8.8.8.8) - OK

Switch (192.168.100.6) - Firewall (BVI1 - 192.168.100.3) - OK

Switch (192.168.100.6) - Router (192.168.100.1) - Not Working

Switch (192.168.100.6) - Internet (8.8.8.8) - Not working

Router (192.168.100.1) - Firewall (BVI1 - 192.168.100.3) - OK

Router (192.168.100.1) - Switch (192.168.100.6) - Not Working

Router (192.168.100.1) - Internet (8.8.8.8) - OK

Basically inside to outside is not working.

If I remove the firewall and plug the Router on the switch, everything works.

Am I missing something? Configuration is attached.

Thanks!

Labels:
Preview file
4 KB
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎06-06-2016 09:31 AM

Hi

You have some acls thatbare not attached to your interfaces. If you have a look through asdm you will not see acls attached. 

Try to do:

access-group inside_access_in in interface inside 

Access-group outside_access_in in interface outside

Afterwards let's do your ping from switch to router and let me know. 

Sorry, check acl to be sure that names are correct because I'm with my mobile and not able to copy/paste. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Caue W
Level 1
Level 1
In response to Francesco Molino

‎06-06-2016 10:12 AM

Hello Francesco, how are you?

Thanks for the input!

In fact, I tried to remove just to make sure it wasn´t blocking.

Just configured the access-group back, it still the same, no access from switch to router.

Those are the lines I´ve added (pretty much the same you sent to me):

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

Any ideas?

Also, the firewall is in the middle between switch and router, I´ve no topology, but Im assuming this is the way it should be, right?

Thanks!

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Caue W

‎06-06-2016 11:34 AM

Ok. I'm back on a laptop to have a better view of your config file. Both interfaces have the same security-level. I don't know if this is correct or not.

If the outside security-level has not to be 100 but less then you need to activate the line of outside acl that's deactivated right now.

If security-level are set correctly, you need to add the command same-security-traffic permit inter-interface.

It should works after this change.

Let me know


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Caue W

‎06-08-2016 03:51 PM

Hi,

Does the solution I gave you was fine?

If your problem is solved don't forget to rate answers and mark it at correct answer.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card