cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2274
Views
0
Helpful
9
Replies

Issue passing traffic between two internal subnets

James Dykes
Level 1
Level 1

I have an ASA 5500 running 8.2(4). There is a static route inside for the 192.168.0.0/24 network to go to 192.168.133.1, which is another router on the firewall's inside network that leads back to their office.

 

I try pinging from a host in the 192.168.133 network to the 192.168.0 network, and the packet is dropped. A packet-tracer command gives the following output:

 

4344-FWL001(config)# packet-tracer input inside icmp 192.168.133.100 0 8 192.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit icmp any any echo-reply
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc979d518, priority=12, domain=permit, deny=false
        hits=9224348, user_data=0xc7959a20, cs_id=0x0, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca36a9a0, priority=7, domain=conn-set, deny=false
        hits=172443571, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=385629755, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc96e0b70, priority=66, domain=inspect-icmp-error, deny=false
        hits=14153115, user_data=0xc96e0a58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139551, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97697f0, priority=1, domain=nat, deny=false
        hits=139932, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

I then try to add the network to the no nat group:

access-list inside_nat0_outbound extended permit ip 192.168.133.0 255.255.255.0 192.168.0.0 255.255.255.0

 

And the packet-tracer fails on a later step:

 

4344-FWL001(config)#packet-tracer input inside icmp 192.168.133.100 0 8 192.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit icmp any any echo-reply
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc979d518, priority=12, domain=permit, deny=false
        hits=9224458, user_data=0xc7959a20, cs_id=0x0, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca36a9a0, priority=7, domain=conn-set, deny=false
        hits=172445451, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=385632692, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc96e0b70, priority=66, domain=inspect-icmp-error, deny=false
        hits=14153257, user_data=0xc96e0a58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.133.0 255.255.255.0 inside 192.168.0.0 255.255.255.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc6b95be8, priority=6, domain=nat-exempt, deny=false
        hits=1, user_data=0xc9d1d7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.133.0, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139551, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97697f0, priority=1, domain=nat, deny=false
        hits=139933, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139551, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9769b48, priority=1, domain=host, deny=false
        hits=16003947, user_data=0xc9769730, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139551, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc97699a0, priority=1, domain=nat-reverse, deny=false
        hits=28, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

What am I missing to get this traffic through the ACLs?

9 Replies 9

Puneesh Chhabra
Cisco Employee
Cisco Employee

Both networks reside on the inside, why would traffic traverse through the firewall ?

I did not architect their network. Their servers at our location use the firewall as their gateway, and their office connected through a point to point line uses a separate router as its gateway, then traffic to that network from the servers here is supposed to be routed via the firewall to the router.

Can you post a diagram ?

Hi,

Actually , you need this configuration to make the communication between the ASA (192.168.133.0/24) to (192.168.0.0/24).

global (inside) 1 interface

static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Thanks and Regards,

Vibhor Amrodia

I made some changes after creating this thread. I added both networks to the inside no-nat group and added ACLs. Updated configuration is attached.

 

The customer is reporting pings are working, but RDP/SQL traffic is not. It looks like the firewall is trying to NAT the traffic to a different network. The packet-tracer output is below.

 

4344-FWL001# packet-tracer input inside tcp 192.168.133.210 3389 192.168.0.68 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit ip 192.168.133.0 255.255.255.0 192.168.0.0 255.255.255.0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca8e5540, priority=12, domain=permit, deny=false
        hits=492, user_data=0xc7955c90, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.133.0, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca36a9a0, priority=7, domain=conn-set, deny=false
        hits=173249113, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=386801563, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.133.0 255.255.255.0 inside 192.168.0.0 255.255.255.0
    NAT exempt
    translate_hits = 576, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca0671d8, priority=6, domain=nat-exempt, deny=false
        hits=576, user_data=0xc9d1de38, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.133.0, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
  match ip inside 192.168.0.0 255.255.255.0 inside 192.168.133.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 574
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9d5e870, priority=6, domain=nat-exempt-reverse, deny=false
        hits=576, user_data=0xc9d5e1d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.133.0, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139552, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97697f0, priority=1, domain=nat, deny=false
        hits=140512, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139552, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9769b48, priority=1, domain=host, deny=false
        hits=16028284, user_data=0xc9769730, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139552, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc97699a0, priority=1, domain=nat-reverse, deny=false
        hits=606, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 172.16.0.0  access-list vpn_nat
  match ip inside 192.168.0.0 255.255.255.0 outside 10.1.7.0 255.255.255.0
    static translation to 172.16.0.0
    translate_hits = 114129674, untranslate_hits = 1964376
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xca3691d8, priority=5, domain=host, deny=false
        hits=194675064, user_data=0xca5562e0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=386801565, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 410248530, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

And entries from the logs:

 

Jul  2 18:21:35 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/63744 to 192.168.0.112/139 flags RST  on interface inside
Jul  2 18:21:41 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK  on interface inside
Jul  2 18:21:43 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59611 flags RST  on interface inside
Jul  2 18:21:44 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK  on interface inside
Jul  2 18:21:50 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK  on interface inside
Jul  2 18:22:00 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK  on interface inside
Jul  2 18:22:02 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags RST  on interface inside
Jul  2 18:22:03 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK  on interface inside
Jul  2 18:22:09 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK  on interface inside
Jul  2 18:22:19 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59640 flags SYN ACK  on interface inside
Jul  2 18:22:21 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags RST  on interface inside

 

 

Looks like there is asymmetric routing, can you try using TCP state bypass for the above mentioned traffic, here is the document for your reference:

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html

 

Regards,

Puneesh

This is a crude representation but hopefully you get the idea.

What is the default gateway set on 192.168.133.0 machines ?

192.168.133.59

Currently some machines just have a persistent route that directs 192.168.0.0/24 traffic to 192.168.133.1

Review Cisco Networking for a $25 gift card