Re: cisco ASA 5506-x ( Unable to communicate between two directly connected hosts)

prathamj26 · ‎01-13-2018

We are unable to communicate between two directly connected hosts through ASA 5506-x.

both interfaces are having same security level which is permitted.

configured access rule and Nat exempted on both interfaces.

In the service policy ICMP inspected.

ICMP permited on all interfaces.

windows firewall is disabled on both hosts machine.

Both ASA interface IP's are configured as Default gateway for hosts machine.

we are able to ping default gateway from hosts but when we are trying to reach another host machine which is behind the firewall. Its unreachable.

ASA version 9.8.1

ASA 5506-x with firepower.

Please help, we are facing this issues mainly on Cisco ASA 5506-x .

Marvin Rhoads · ‎01-13-2018

Can you share the configuration?

You can also test your configuration logic with packet-tracer tool on the ASA cli:

packet-tracer input <interface name of host 1's connection> icmp <host 1 ip> 8 0 <host 2 ip>

prathamj26 · ‎01-14-2018

Please Check below configuration:

ciscoasa# show running-config
: Saved

:
: Serial Number: JAD192202RS
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU
(4 cores)
:
ASA Version 9.8(1)7
!
hostname ciscoasa

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
nameif magmt
security-level 100
ip address 10.10.254.50 255.255.255.128
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list out extended permit ip any any
access-list in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu magmt 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any inactive
access-group in in interface inside
access-group out in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp
0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.10.254.0 255.255.255.0 magmt
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.254.0 255.255.255.0 magmt
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
!
jumbo-frame reservation
!
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fc3ae2efe14d44fed0a70ec07ce8c4ce
: end
ciscoasa#

Marvin Rhoads · ‎01-14-2018

Are the hosts on interfaces Gi1/1 and 1/5? If so, you need to add the command:

same-security-traffic permit inter-interface

By default traffic is not is not allowed to flow between same-security interfaces.

Ajay Saini · ‎01-13-2018

Hello,

There are multiple things you can check, but the easiest is to take syslogs and find out whats happening to the traffic going through the ASA.

Captures should the second step. If the hosts are windows machines, installing wireshark will be helpful.

Could you also attach output of 'show run policy-map'

HTH

-AJ