asa version 9.6.4: no traffic between interfaces

rmacapital · ‎08-04-2018

hello,

I have 3 interfaces configured on my asa version 9 (inside1, inside2, outside)

I can reach internet from the two interfaces, but i can't reach the inside2 interface from the inside 1 interface

I have this error in the asdm logs "Failed to locate egress interface for ICMP from inside1:"

do you have any idea ?

thank you in advance

Rob Ingram · ‎08-04-2018

Hi,
Please can you provide the configuration of your ASA? Can you also run packet-tracer and provide the output
thanks

rmacapital · ‎08-04-2018

Thank you for your quick reply

this is my configuration:

interface GigabitEthernet0/0
description *** Inside1 ***
nameif inside1
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1
description *** inside2 ***
nameif inside2
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
description *** OUTSIDE ***
shutdown
nameif outside
security-level 0
ip address X.X.X.X X.X.X.X
!
interface Management0/0
nameif management
security-level 0
ip address X.X.X.X X.X.X.X
!
ftp mode passive
dns domain-lookup management
dns server-group DefaultDNS
name-server X.X.X.X
domain-name X.X
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network OBJ_Net_192.168.2.1
subnet 192.168.2.0 255.255.255.0
object network OBJ_Net_192.168.3.1
subnet 192.168.3.0 255.255.255.0
access-list acl_inside1 extended permit ip any any
access-list acl_inside1 extended permit icmp any any
access-list acl_inside2 extended permit ip any any
access-list acl_inside2 extended permit icmp any any
access-list outside_access_in extended permit ip any any
pager lines 23
logging enable
logging asdm informational

nat (inside1,inside2) source static OBJ_Net_192.168.2.1OBJ_Net_192.168.2.1 destination static OBJ_Net_102.168.3.1 OBJ_Net_192.168.3.1

!
object network OBJ_Net_192.168.2.1
nat (inside1,outside) dynamic interface

access-group acl_inside1 in interface inside1
access-group acl_inside2 in interface inside2
access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

rmacapital · ‎08-04-2018

thank you for your reply

you can find attached my asa config

Rob Ingram · ‎08-04-2018

What is the output from packet tracer?

E.g. - packet-tracer input INSIDE1 icmp 192.168.2.5 8 0 192.168.3.5

rmacapital · ‎08-04-2018

hello

I can't ping a machine that belongs to inside2 ivlan ( machine ip adresse:192.168.3.6/24 gateway 192.168.3.1) from machine that belongs to inside1 vlan ( machine ip adresse:192.168.2.6/24 gateway 192.168.2.1)

all machines that belong to inside2 vlan can ping the gateway 192.168.3.1

and all machines that belong to inside1 vlan can ping the gateway 192.168.2.1

Rob Ingram · ‎08-04-2018

Ok, but I wanted to see the output of packet-tracer to see what clues it gave. Please run packet-tracer and upload the output here

I assume you can ping the machines from the ASA itself?

rmacapital · ‎08-04-2018

yes i can ping all machines from the asa

sorry but I dont have packet tracert.....this a reel lab,

Rob Ingram · ‎08-04-2018

Packet Tracer is built in to the ASA, it's used for troubleshooting. Go to the CLI and run this:-

packet-tracer input INSIDE1 icmp 192.168.2.6 8 0 192.168.3.6

Please then upload the output

rmacapital · ‎08-04-2018

you find attached the output

thank you

Rob Ingram · ‎08-04-2018

The result of that is "allow", so the ASA believe's it should work. Are you sure there isn't a local firewall on the machines blocking traffic?

You have amended the ip addresses in the trace - "packet-tracer input inside icmp 10.169.2.6 8 0 10.169.3.6" < is that the only thing you've changed? Have you sanitised any of the other output or configuration?

rmacapital · ‎08-04-2018

yes there isn't a local firewall on the machines blocking traffic.

yes it is the only change, i didn't change the configuration of my asa

the nat configuration section is OK ??!

Rob Ingram · ‎08-04-2018

Ok, but why did you not run the packet-trace between the real IP addresses (192.168.2.6 and 192.168.3.6)? Isn't that what we are troubleshooting?