CiscoASAv subinterfaces traffic is not passing

Juni · ‎05-15-2023

Hi Everyone,

I am struggling with the ASA configuration with 2 Subinterfaces and am not able to ping from one vlan host to another vlan host, I haven't applied any ACLs and NAT as am not testing it with the internet.

int gi0/0.10

vlan 10

nameif VLAN10

security-level 50

ip add 10.255.255.5 255.255.255.0

!

int gi0/0.20

vlan 20

nameif VLAN20

security-level 50

ip add 20.255.255.5 255.255.255.0

I have 2 PCs connected one each on one port and am not able to ping from one host machine to another

same-security-traffic permit inter/intra-interface is already there

inspect icmp is also there in default policy-map

Can anyone assist me with the problem cause?

MHM Cisco World · ‎05-15-2023

can you ping from host to interface of ASA??

Juni · ‎05-15-2023

yes to the interface is pingable

MHM Cisco World · ‎05-15-2023

show interface ip brief <<- share this

Juni · ‎05-15-2023

ciscoasa(config)# show int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 172.16.10.1 YES CONFIG up up
GigabitEthernet0/1 192.168.10.1 YES CONFIG up up
GigabitEthernet0/2 192.168.0.1 YES CONFIG up up
GigabitEthernet0/3 unassigned YES unset up up
GigabitEthernet0/3.10 10.255.255.5 YES manual up up
GigabitEthernet0/3.20 20.255.255.5 YES manual up up
GigabitEthernet0/4 unassigned YES unset administratively down up
GigabitEthernet0/5 unassigned YES unset administratively down up
GigabitEthernet0/6 unassigned YES unset administratively down up
Management0/0 unassigned YES unset administratively down up

here it is

MHM Cisco World · ‎05-15-2023

it OK all sub interface is UP
please share the packet-tracer for ping between the two host
NOTE:- add keyword detail in end of packet-tracer

Juni · ‎05-15-2023

ciscoasa(config)# packet-tracer input VLAN10 icmp 10.255.255.2 8 0 20.255.255.2 detailed

Phase: 1
Type: ROUTE-LOOKUP
%ASA-7-609001: Built local-host VLAN10:10.255.255.2
%ASA-7-609001: Built local-host VLAN20:20.255.255.2
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
%ASA-6-302020: Built inbound ICMP connection for faddr 10.255.255.2/0 gaddr 20.255.255.2/0 laddr 20.255.255.2/0 type 8 code 0
found next-hop 20.255.255.2 using egress ifc VLAN20

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1671bba070, priority=2, domain=permit, deny=false
hits=4, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN10, output_ifc=any

Phase: 3
<--- More --->%ASA-6-302021: Teardown ICMP connection for faddr 10.255.255.2/0 gaddr 20.255.255.2/0 laddr 20.255.255.2/0 type 8 code 0
%ASA-7-609002: Teardown local-host VLAN10:10.255.255.2 duration 0:00:00
%ASA-7-609002: Teardown local-host VLAN20:20.255.255.2 duration 0:00:00
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f167129f660, priority=0, domain=nat-per-session, deny=true
hits=101, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1671bbd3c0, priority=0, domain=inspect-ip-options, deny=true
hits=42, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN10, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1671ac8c80, priority=70, domain=qos-per-class, deny=false
hits=47, user_data=0x7f1671a34f20, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1671bcf770, priority=70, domain=inspect-icmp, deny=false
hits=5, user_data=0x7f1671b39240, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=VLAN10, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1671bbcbd0, priority=66, domain=inspect-icmp-error, deny=false
hits=32, user_data=0x7f1671bbc890, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=VLAN10, output_ifc=any

Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f1671ac8c80, priority=70, domain=qos-per-class, deny=false
hits=48, user_data=0x7f1671a34f20, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f167129f660, priority=0, domain=nat-per-session, deny=true
hits=103, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f1671c2c8e0, priority=0, domain=inspect-ip-options, deny=true
hits=17, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VLAN20, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 76, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 20.255.255.2 using egress ifc VLAN20

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 5000.0005.0000 hits 4 reference 1

Result:
input-interface: VLAN10
input-status: up
input-line-status: up
output-interface: VLAN20
output-status: up
output-line-status: up
Action: allow

MHM Cisco World · ‎05-15-2023

every think is fine,
check
show arp
check the mac address for both host

Juni · ‎05-15-2023

Thank you for your prompt reply to me!

Here is the output Yes MAC is showing correctly as the system MACs which is in both Case a VM-WIN-10

ciscoasa(config)# show arp
outside 172.16.10.10 aabb.cc00.3000 8975
inside 192.168.10.10 aabb.cc00.2000 8540
mgmt 192.168.0.2 0050.56c0.0001 4700
VLAN10 10.255.255.2 5000.0007.0000 2208
VLAN10 10.255.255.1 aabb.cc80.4000 2267
VLAN20 20.255.255.2 5000.0005.0000 2214
VLAN20 20.255.255.1 aabb.cc80.4000 2274

I am struggling since hours but unable to find the cause configuration looks to me fine as well.

MHM Cisco World · ‎05-15-2023

Your config is correct'

The Host FW is drop icmp

Allow icmp in host FW and check again

https://activedirectorypro.com/allow-ping-windows-firewall/

Juni · ‎05-28-2023

Sure I will open that lab again to keep this check and will get back

Sheraz.Salim · ‎05-28-2023

@MHM Cisco World Its more likely the Windows software Firewall is ON. if the OP turn off the windows software firewall for Priavte network it will fix the issue.

please do not forget to rate.

MHM Cisco World · ‎05-28-2023

Thanks' I already suggested to him check win os firewall.

Waiting his reply.

MHM

Sheraz.Salim · ‎05-28-2023

VM-WIN-10 running windows 10 by default WIN-10 (software) firewall is ON, you need to turn OFF for private network it will fix the issue and you will able to ping between subnet. And also you will able to ping from the ASA box to your WIN-10 host.

as it stand either you cant ping between two different subnet and even you cant ping from ASA to WIN-10 (example -FW interface 20.255.255.5 and WIN-10 host 20.255.255.X the ping will fail due to the fact Windows software is on).

This is very common mistake and mostly ignored many time and lead us to pull our hair out where the issue is

please do not forget to rate.

Juni · ‎05-30-2023

Thank you for sharing the possible options but I already had that firewall disabled in the Windows-10 (Software) it was still the same I will check that again building tha lab one more time to check if the same issue is coming.