Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
0
Helpful
3
Replies

Help with Firewall Rule to Allow SNMP To Switch Behind ASA

Matthew Martin
Level 5
Level 5

‎10-03-2016 04:04 PM - edited ‎03-12-2019 01:21 AM

Hello All,

ASA: ASA5510
Software: Cisco Adaptive Security Appliance Software Version 9.1(6)11

We have recently setup a new location and have it configured behind a Firewall. The Flow would look like:

MPLS <---> ISR4321 Router (*10.28.1.1) <---> ASA5510 (*10.28.1.3) <---> C3650 Switch (*10.28.1.2)


What I would like to be able to do is, allow all traffic coming from a specific Server on the OUTSIDE interface (*Server = 192.168.5.14), to be allowed to talk to the C3650 Switch, which is on the INSIDE.

If I run packet-trace command below (*not sure this is correct or not) I get the following:

# packet-tracer input INSIDE icmp 10.28.1.2 8 0 192.168.5.14 detail

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad914828, priority=13, domain=capture, deny=false
hits=76618607, user_data=0xaec82a58, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae17ad28, priority=1, domain=permit, deny=false
hits=41757027, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.0.0 INSIDE

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae17cf48, priority=111, domain=permit, deny=true
hits=18206, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=INSIDE, output_ifc=INSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


So Given that output above, does that mean the default DENY ALL rule is preventing me from doing what I want?
If so, could someone suggest a rule that would allow traffic to that Switch from that specific Server address?

Any thoughts or suggestions would be greatly appreciated.

Thanks in Advance,
Matt

Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎10-04-2016 05:28 AM

Hi,

Please enable same-security-traffic permit intra-interface on the ASA and then test.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Matthew Martin
Level 5
Level 5
In response to Aditya Ganjoo

‎10-04-2016 09:36 AM

Hi Aditya, thanks for the reply.

I inserted that command as you suggested. Now, the pings still don't go through, but the packet-tracer command says they SHOULD be allowed.

If I setup a capture I can see the following:

CISCOASA# show cap
capture ipam-in type raw-data interface INSIDE [Capturing - 290 bytes]
  match ip host 192.168.5.14 host 10.28.1.2
capture in-ipam type raw-data interface INSIDE [Capturing - 290 bytes]
  match ip host 10.28.1.2 host 192.168.5.14
CISCOASA#
CISCOASA#
CISCOASA# show cap ipam-in

5 packets captured

1: 11:06:52.465430 10.28.1.2 > 192.168.5.14: icmp: echo request
2: 11:17:44.143013 10.28.1.2 > 192.168.5.14: icmp: echo request
3: 11:18:20.118798 10.28.1.2 > 192.168.5.14: icmp: echo request
4: 11:23:39.046475 10.28.1.2 > 192.168.5.14: icmp: echo request
5: 11:23:46.146614 10.28.1.2 > 192.168.5.14: icmp: echo request
5 packets shown
CISCOASA#
CISCOASA# show cap in-ipam

5 packets captured

1: 11:06:52.465445 10.28.1.2 > 192.168.5.14: icmp: echo request
2: 11:17:44.143028 10.28.1.2 > 192.168.5.14: icmp: echo request
3: 11:18:20.118814 10.28.1.2 > 192.168.5.14: icmp: echo request
4: 11:23:39.046475 10.28.1.2 > 192.168.5.14: icmp: echo request
5: 11:23:46.146614 10.28.1.2 > 192.168.5.14: icmp: echo request
5 packets shown


So does this mean the return pings are being sent, but they are just not reaching me?

Thanks again for the reply.

Thanks,
Matt

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Matthew Martin

‎10-04-2016 09:58 AM

Hi Matt,

Yes you are correct.

Probably we are missing a return route to the ASA.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card