Re: ASA routing between two interfaces not working

ed3 · ‎11-01-2018

Ok, this is my first venture to the cisco boards to ask a question.

I have an issue where I have 2 subinterfaces on an ASA with the same security level (100) and same-security-traffic permit inter-interface, same-security-traffic permit intra-interface both configured.

There is a NAT entry for the above:

nat (default_dhcp,inside) source static net-default_dhcp net-default_dhcp destination static net-itservers net-itservers

default_dhcp is the interface name with net-default_dhcp as the network object on that interface

inside is the interface with net-itservers.

however, net-itservers can ping and get a general response from net-default_dhcp but not the other way round although I cannot see anything in the config that would be uni-directional regarding these two network object or the interfaces they reside on.

I also have a secondary issue whereby the net-grp-fortiSSL (SSL clients from an external 3rd party firewall using the same tunnel as net-grp-ielmk and net-grp-uklon use) cannot gain access to either of the subnets above, I'm gathering that the two issues may be related.

Any suggestions?

Thanks in advance

ed3

Dennis Mink · ‎11-02-2018

Run the packet tracer tool in ASDM to see if the packet is getting permitted.it will check ACLs, NAT and routes.

Please remember to rate useful posts, by clicking on the stars below.

mkazam001 · ‎11-03-2018

Or from the CLI:

packet tracer input deafult_dhcp tcp IP-A 12345 IP-B 80 det
where IP-A is from object net-default_dhcp
& IP-B is from object net-itservers

You only need this command as they are 2 different interfaces:

same-security-traffic permit inter-interface

If you have any ACLs, they will override the security-levels.

You can check with sh run access-group cmd.

Regards,

Azam