Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
5
Replies

ASA interface - Traffic on 2 different subnet

Renato Tuveri
Level 1
Level 1

‎04-05-2016 03:01 AM - edited ‎03-12-2019 12:34 AM

Hello,

I have an ASA 5515 where an interface is connected to a router whit 2 different networks defined 192.168.1.0 - 192.168.168.2.0

The interface configuration is the following:

GigabitEthernet0/0 81.77.10.200 YES manual up up outside
GigabitEthernet0/1 192.168.66.1 YES manual up up inside
GigabitEthernet0/2 192.168.1.238 YES manual up up office
GigabitEthernet0/3 192.168.5.2 YES manual up up vpn

A device on interface 0/2 is able to access 192.168.1.0 traffic but not 192.168.168.2.0

Route rules looks as the following:

S* 0.0.0.0 0.0.0.0 [1/0] via 80.71.19.214, outside
C 81.77.10.208 255.255.255.248 is directly connected, outside
L 81.77.10.200 255.255.255.255 is directly connected, outside
C 192.168.5.0 255.255.255.0 is directly connected, vpn
L 192.168.5.2 255.255.255.255 is directly connected, vpn
C 192.168.11.0 255.255.255.0 is directly connected, office
L 192.168.1.238 255.255.255.255 is directly connected, office
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.12.1, office
C 192.168.66.0 255.255.255.0 is directly connected, inside
L 192.168.66.1 255.255.255.255 is directly connected, inside

and if I try to ping any address on 192.168.168.2.0 on the ASA it works:

ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Any help?

Thanks!

Labels:
0 Helpful
5 Replies 5

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎04-05-2016 03:24 AM

Hello Renato,

Can you please confirm if there are any access-list applied on the interfaces since the to the box traffic and through the box traffic will be processed differently.

Please share the output of 
show run access-group

Do a traceroute from firewall to 192.168.2.x and check what are all the hops and also confirm those hops have a correct route for your subnet.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Renato Tuveri
Level 1
Level 1
In response to Dinesh Moudgil

‎04-05-2016 03:45 AM

Hello,

show run access-group:


access-group outside_access_in in interface outside
access-group inside_in in interface inside

traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

1 192.168.2.1 10 msec 0 msec 0 msec

Thanks,

Renato

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Renato Tuveri

‎04-05-2016 06:12 AM

Please share the output of 
show ip
show run route
show access-list 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Renato Tuveri
Level 1
Level 1
In response to Dinesh Moudgil

‎04-05-2016 06:38 AM

show ip

Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside ****Pubblic ip*** 255.255.255.248 manual
GigabitEthernet0/1 inside 192.168.66.1 255.255.255.0 manual
GigabitEthernet0/2 office 192.168.1.238 255.255.255.0 manual
GigabitEthernet0/3 vpn 192.168.5.2 255.255.255.0 manual

show run route
route outsideBA 0.0.0.0 0.0.0.0 80.71.19.214 1
route office 192.168.2.0 255.255.255.0 192.168.2.1 1

show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 18 elements; name hash: 0x60092435
access-list outside_access_in line 1 remark Allor ssh to BA London
access-list outside_access_in line 2 extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_1 (hitcnt=184) 0x1b0c2864
access-list outside_access_in line 2 extended permit tcp any eq 16022 192.168.66.0 255.255.255.0 eq ssh (hitcnt=1) 0xb9f3a481
access-list outside_access_in line 2 extended permit tcp any eq 16022 host 192.168.66.160 eq ssh (hitcnt=0) 0x3e417c21
access-list outside_access_in line 2 extended permit tcp any 192.168.66.0 255.255.255.0 eq ssh (hitcnt=183) 0x83d4a48a
access-list outside_access_in line 2 extended permit tcp any host 192.168.66.160 eq ssh (hitcnt=0) 0xe8a3c0f7
access-list outside_access_in line 3 remark Allow AIstore Cloud Mirror VPN
access-list outside_access_in line 4 extended permit object 1195-dest any object-group DM_INLINE_NETWORK_2 log notifications interval 300 (hitcnt=1285) 0x3e72a4fc
access-list outside_access_in line 4 extended permit udp any 192.168.66.0 255.255.255.0 eq 1195 log notifications interval 300 (hitcnt=1285) 0x5d0b3fe2
access-list outside_access_in line 4 extended permit udp any host 192.168.66.170 eq 1195 log notifications interval 300 (hitcnt=0) 0xd9fdef26
access-list outside_access_in line 5 extended permit udp any host 192.168.66.170 eq 1195 (hitcnt=0) 0xd9fdef26
access-list outside_access_in line 6 extended permit udp host 192.168.66.170 any eq 1195 (hitcnt=0) 0x32c8ee84
access-list outside_access_in line 7 remark NAT for BA London HTPPS/HTTP/SMTP
access-list outside_access_in line 8 extended permit object-group DM_INLINE_SERVICE_2 any object-group DM_INLINE_NETWORK_3 (hitcnt=3523) 0x7ab78e2b
access-list outside_access_in line 8 extended permit tcp any 192.168.66.0 255.255.255.0 eq www (hitcnt=0) 0x5c9d5b78
access-list outside_access_in line 8 extended permit tcp any host 192.168.66.160 eq www (hitcnt=0) 0xc3c067d0
access-list outside_access_in line 8 extended permit udp any 192.168.66.0 255.255.255.0 eq www (hitcnt=0) 0x61a77cc7
access-list outside_access_in line 8 extended permit udp any host 192.168.66.160 eq www (hitcnt=0) 0xa7c94c8f
access-list outside_access_in line 8 extended permit tcp any 192.168.66.0 255.255.255.0 eq https (hitcnt=3096) 0x5372ab57
access-list outside_access_in line 8 extended permit tcp any host 192.168.66.160 eq https (hitcnt=0) 0x883d395a
access-list outside_access_in line 8 extended permit tcp any 192.168.66.0 255.255.255.0 eq smtp (hitcnt=258) 0x787c50ac
access-list outside_access_in line 8 extended permit tcp any host 192.168.66.160 eq smtp (hitcnt=0) 0x5c6dd0a6

Regards,

Renato

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Renato Tuveri

‎04-05-2016 05:48 PM

Your route statements points the packets at 192.168.2.1 and the routing output shows the next hop as 192.168.12.1 which is contradictory

route office 192.168.2.0 255.255.255.0 192.168.2.1 

S 192.168.2.0 255.255.255.0 [1/0] via 192.168.12.1, office

Moreover, why is the next hop for "office" interface set up for 192.168.2.1 (not in the subnet of interface address i.e. 192.168.1.238 )

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card