Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
0
Helpful
7
Replies

ASA5512 Basic question on passing traffic

Richard Stanger
Level 1
Level 1

‎01-31-2017 08:20 AM - edited ‎03-12-2019 01:51 AM

I have two interfaces on the asa configured (one named outside and one PDS), I can ping out from the ASA to devices on each side without issue but am unable to pass traffic from devices located on one side to device on the other side (through the asa).  Does it have to have NAT configured? I have acl's configured on both interfaces allowing permitting icmp, tcp, and ip. We are running ver. 9.6.2 What am I missing?

Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎01-31-2017 08:37 AM

Richard,

best to post the config of the ASA.

One reason could be the interface security level. By default, interfaces with the same security level cannot communicate unless you have the below configured:

same-security-traffic permit inter-interface

0 Helpful

Richard Stanger
Level 1
Level 1
In response to Georg Pauwen

‎01-31-2017 08:45 AM

I have specifically changed security levels with no change in traffic. Also, have tried the "same-security-traffic permit inter-interface" with no effect....

0 Helpful

Georg Pauwen
VIP
VIP
In response to Richard Stanger

‎01-31-2017 08:58 AM

Richard,

post the config, it could be an access list...

0 Helpful

Marius Gunnerud
VIP
VIP

‎01-31-2017 09:54 AM

Interface security levels are only relevant if no ACL is assigned to the interface.

When you say you are unable to pass traffic are we talking about ICMP traffic or http, https traffic also? If it is just ICMP then you will need to enable ICMP inspection.  Enter the following and test again:

policy-map global_policy
class inspection_default
inspect icmp

Is the outside interface connected towards ISP with public interface? If, yes then you will need a NAT statement unless the subnet on the PDS interface is a public IP also.

Run a packet tracer and see where the traffic drops, where x.x.x.x is an IP on the PDS network and y.y.y.y is an IP on the outside network:

packet-tracer input PDS tcp x.x.x.x 12345 y.y.y.y 80 detail

You mention that you have opened for IP in both directions so this should work, or at the very least give us an indication where the packet is being dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Richard Stanger
Level 1
Level 1

‎01-31-2017 10:25 AM

Okay, I thought it didn't make sense!

The problem was the default gateways on the vm'd servers were not set correctly! Once I had our server guy check this, we determined the issue. Thank you everyone for sending information. It may not help me but most certainly will help someone else!

I thank you all!

Rick

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Richard Stanger

‎01-31-2017 10:33 AM

Glad you got it sorted!

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Georg Pauwen
VIP
VIP
In response to Richard Stanger

‎01-31-2017 11:35 AM

Rick,

good stuff ! This thread contains some useful information no matter what...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card