Re: NAT drops traffic of same subnet

imanyadmin · ‎07-17-2018

I have seen strange behaviour of my ASAs, One host 10.60.49.248 can not telnet to TCP/9300 of other host 10.60.49.126 even though they are same subnet.

SGBACKFW(config)# packet-tracer input hosting-web-be tcp 10.60.49.248 4003 10.$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.60.49.0 255.255.255.0 hosting-web-be

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group hosting-web-be_in in interface hosting-web-be
access-list hosting-web-be_in extended permit tcp host 10.60.49.248 host 10.60.49.126 eq 9300
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb3883f30, priority=12, domain=permit, deny=false
hits=1, user_data=0xaf6efcd8, cs_id=0x0, flags=0x0, protocol=6
src ip=10.60.49.248, mask=255.255.255.255, port=0
dst ip=10.60.49.126, mask=255.255.255.255, port=9300, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae5a8be0, priority=0, domain=permit-ip-option, deny=true
hits=1326852003, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaeba0368, priority=20, domain=lu, deny=false
hits=1339704475, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (hosting-web-be,wan) 10.60.49.0 10.60.49.0 netmask 255.255.255.0
match ip hosting-web-be 10.60.49.0 255.255.255.0 wan any
static translation to 10.60.49.0
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae8ae3c0, priority=5, domain=host, deny=false
hits=2641036114, user_data=0xae8ade70, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.60.49.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (hosting-web-be) 41 10.60.49.0 255.255.255.0
match ip hosting-web-be 10.60.49.0 255.255.255.0 hosting-web-be any
dynamic translation to pool 41 (No matching global)
translate_hits = 7, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae71e630, priority=1, domain=nat, deny=false
hits=82747, user_data=0xae71e590, cs_id=0x0, flags=0x0, protocol=0
src ip=10.60.49.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: hosting-web-be
input-status: up
input-line-status: up
output-interface: hosting-web-be
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

SGBACKFW(config)#

Can someone give idea?

balaji.bandi · ‎07-17-2018

To advice better can you post the running config to verify security levels.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

imanyadmin · ‎07-17-2018

Security level of this interface is 0. Once again, both servers are on same subnet.

!
interface GigabitEthernet0/0
description Connected to SGFRONTSW1 g1/0/2 and SGFRONTSW2 g2/0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.102
vlan 102
nameif vpn
security-level 0
ip address 10.60.2.4 255.255.255.0 standby 10.60.2.5
!
interface GigabitEthernet0/0.105
vlan 105
nameif san-mgmnt
security-level 100
ip address 10.60.5.1 255.255.255.0 standby 10.60.5.2
!
interface GigabitEthernet0/0.106
vlan 106
nameif shared-esx
security-level 100
ip address 10.60.6.1 255.255.255.0 standby 10.60.6.2
!
interface GigabitEthernet0/0.107
vlan 107
nameif shared-ad
security-level 100
ip address 10.60.7.1 255.255.255.0 standby 10.60.7.2
!
interface GigabitEthernet0/0.110
vlan 110
nameif wan
security-level 75
ip address 10.60.10.1 255.255.255.0 standby 10.60.10.2
!
interface GigabitEthernet0/0.218
vlan 218
nameif corp-web-mgmt
security-level 100
ip address 10.60.18.1 255.255.255.0 standby 10.60.18.2
!
interface GigabitEthernet0/0.225
vlan 225
nameif corp-be-mgmt
security-level 100
ip address 10.60.25.1 255.255.255.0 standby 10.60.25.2
!
interface GigabitEthernet0/0.334
vlan 334
nameif demo-web-mgmt
security-level 100
ip address 10.60.34.1 255.255.255.0 standby 10.60.34.2
!
interface GigabitEthernet0/0.341
vlan 341
nameif demo-be-mgmt
security-level 100
ip address 10.60.41.1 255.255.255.0 standby 10.60.41.2
!
interface GigabitEthernet0/0.450
vlan 450
nameif hosting-web-mgmt
security-level 100
ip address 10.60.50.1 255.255.255.0 standby 10.60.50.2
!
interface GigabitEthernet0/0.457
vlan 457
nameif hosting-be-mgmt
security-level 100
ip address 10.60.57.1 255.255.255.0 standby 10.60.57.2
!
interface GigabitEthernet0/1
description Connected to SGBACKSW g1/1 - Web BackEnd Networks
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.15
vlan 15
nameif philly_p2p
security-level 100
ip address 10.15.15.2 255.255.255.248
!
interface GigabitEthernet0/1.69
vlan 69
nameif ccg-web-be
security-level 0
ip address 10.60.69.1 255.255.255.0 standby 10.60.69.2
!
interface GigabitEthernet0/1.81
vlan 81
nameif Apache-web-be
security-level 0
ip address 10.60.81.1 255.255.255.0 standby 10.60.81.2
!
interface GigabitEthernet0/1.91
vlan 91
nameif Apache-prod-be
security-level 0
ip address 10.60.91.1 255.255.255.0 standby 10.60.91.2
!
interface GigabitEthernet0/1.217
vlan 217
nameif corp-web-be
security-level 0
ip address 10.60.17.1 255.255.255.0 standby 10.60.17.2
!
interface GigabitEthernet0/1.333
vlan 333
nameif demo-web-be
security-level 0
ip address 10.60.33.1 255.255.255.0 standby 10.60.33.2
!
interface GigabitEthernet0/1.449
vlan 449
nameif hosting-web-be
security-level 0
ip address 10.60.49.1 255.255.255.0 standby 10.60.49.2
!
interface GigabitEthernet0/1.600
description Akorn Web Back End
vlan 600
nameif Akorn-web-be
security-level 0
ip address 10.60.60.1 255.255.255.240
!
interface GigabitEthernet0/1.616
description Cumberland Subnet
vlan 616
nameif ccg
security-level 0
ip address 10.60.60.17 255.255.255.240
!
interface GigabitEthernet0/2
description Connected to SGBACKSW g1/2 - BackEnd Networks
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.66
description CCG Back end IP network (10.60.66.0/24)
vlan 66
nameif ccg-be
security-level 100
ip address 10.60.66.1 255.255.255.0 standby 10.60.66.2
!
interface GigabitEthernet0/2.224
vlan 224
nameif corp-be
security-level 100
ip address 10.60.24.1 255.255.255.0 standby 10.60.24.2
!
interface GigabitEthernet0/2.340
vlan 340
nameif demo-be
security-level 100
ip address 10.60.40.1 255.255.255.0 standby 10.60.40.2
!
interface GigabitEthernet0/2.456
vlan 456
nameif hosting-be
security-level 100
ip address 10.60.56.1 255.255.255.0 standby 10.60.56.2
!
interface GigabitEthernet0/2.632
description Akorn Back end IP network (10.60.60.32/28)
vlan 632
nameif Akorn-be
security-level 100
ip address 10.60.60.33 255.255.255.240
!
interface GigabitEthernet0/2.800
vlan 800
nameif Server_Backup
security-level 100
ip address 10.173.1.193 255.255.255.192
!
interface GigabitEthernet0/2.900
description Sungard VRR IP network (10.60.90.x/29)
vlan 900
nameif Sungard-DR
security-level 100
ip address 10.60.90.4 255.255.255.248
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 10.60.0.1 255.255.255.0 standby 10.60.0.2
!
interface GigabitEthernet1/0
description Connected to SGBACKSW g1/3 - Legacy Networks
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0.401
vlan 401
nameif hosting-legacy1
security-level 0
ip address 216.203.51.202 255.255.255.240
!
interface GigabitEthernet1/0.403
vlan 20
nameif hosting-legacy3
security-level 0
ip address 10.128.54.169 255.255.255.240
!
interface GigabitEthernet1/0.404
vlan 30
nameif hosting-legacy4
security-level 0
ip address 10.128.144.249 255.255.255.224
!
interface GigabitEthernet1/1
description Connected to SGBACKSW g1/4 - Backend Shared Networks
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.101
vlan 101
nameif transit
security-level 0
ip address 10.60.1.1 255.255.255.0 standby 10.60.1.2
!
interface GigabitEthernet1/1.104
vlan 104
nameif san
security-level 100
ip address 10.60.4.1 255.255.255.0 standby 10.60.4.2
!
interface GigabitEthernet1/1.120
description NetApp SAN Backend Network 10.131.195.0/27
vlan 120
nameif san-netapp
security-level 0
ip address 10.131.195.1 255.255.255.224
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address

imanyadmin · ‎07-18-2018

Has anyone an idea about this issue? Please advise.