04-28-2018 05:25 AM - edited 02-21-2020 07:40 AM
I have implemented a new ASA 5506 running 9.9. I have these interfaces:
*interface outside-ip address by dhcp and its the default route, security=0
*interface inside 1-ip network vlan1 10.0.0.0/24, security=100
*sub interface inside 1.2-ip network vlan2 10.0.1.0/24, security=100
The interfaces are configured to be able to pass traffic when they are the same security level, so interface 1 and 1.2 can ping to each others hosts just fine cross network. Interfaces 1 and 1.2 are not able to SSH or connect to each others file shares cross network even though I can ping the hosts from the other subnet.
I have tried adding a blanket ACL on interface 1 and 1.2 of:
'permit any any ip'
to no avail.
I have also tried an ACL for SSH:
'permit any any 22'
on each interface to no avail.
Solved! Go to Solution.
04-30-2018 11:14 AM
I have things figured out.
In using the ASA to connect to multiple networks via the interfaces, asymmetric routing was happening. Traffic was passing through the interfaces and were keeping its original ip addresses and ports on the cross network. I entered some NAT rules for the interfaces when crossing that permitted the source address to use the destination interface address as a dynamic PAT address, but keep the source destination and port. Then the traffic hit the cross network interface and used that interface ip address to talk to the destination. The destination then was able to send back to that interface and cross back to the original network without issue
04-28-2018 12:47 PM
Are you using the FirePOWER module in the ASA5506x?
Could you provide a full running configuration of the ASA (remove any public IPs, usernames and passwords)?
04-30-2018 12:21 AM
04-30-2018 05:40 AM - edited 04-30-2018 11:15 AM
thanks you in advance to anyone taking a look and giving input.
show run:
04-30-2018 06:09 AM
Im writing this post for clarification. In my 1st post I simplified the issue and in my config you will see that I have 3 subinterfaces on Gi1/2 (10.2.6.0/24 vlan01)
2.4 10.2.4.0/24 vlan04
2.5 10.2.5.0/24 vlan05
2.11 10.2.140.0 vlan11
From Gi1/2 (from a host on the 10.2.6.0/24 vlan01 network) I can ping to hosts cross network, through the ASA, that I want to connect to via SSH or file share. But I cannot connect using SSH via PuTTY (or connect to a file share) cross network, through the ASA, I can only ping the device.
04-30-2018 07:58 AM
Could you set up a capture on an interface on the ASA that is going toward a device you are trying to ssh to?
for example:
cap capin interface inside match ip host 10.10.10.1 host 11.11.11.1
replace the interface name and host IPs with relevant information. Then run an SSH test. If you see traffic leaving the ASA interface towards the device you are SSHing to then this issue is most likely either with the device itself not answering SSH or that there is an issue with the network between the ASA and the device.
04-30-2018 11:14 AM
I have things figured out.
In using the ASA to connect to multiple networks via the interfaces, asymmetric routing was happening. Traffic was passing through the interfaces and were keeping its original ip addresses and ports on the cross network. I entered some NAT rules for the interfaces when crossing that permitted the source address to use the destination interface address as a dynamic PAT address, but keep the source destination and port. Then the traffic hit the cross network interface and used that interface ip address to talk to the destination. The destination then was able to send back to that interface and cross back to the original network without issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide