07-17-2018 10:36 AM - edited 02-21-2020 07:59 AM
I have seen strange behaviour of my ASAs, One host 10.60.49.248 can not telnet to TCP/9300 of other host 10.60.49.126 even though they are same subnet.
SGBACKFW(config)# packet-tracer input hosting-web-be tcp 10.60.49.248 4003 10.$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.60.49.0 255.255.255.0 hosting-web-be
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group hosting-web-be_in in interface hosting-web-be
access-list hosting-web-be_in extended permit tcp host 10.60.49.248 host 10.60.49.126 eq 9300
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xb3883f30, priority=12, domain=permit, deny=false
 hits=1, user_data=0xaf6efcd8, cs_id=0x0, flags=0x0, protocol=6
 src ip=10.60.49.248, mask=255.255.255.255, port=0
 dst ip=10.60.49.126, mask=255.255.255.255, port=9300, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xae5a8be0, priority=0, domain=permit-ip-option, deny=true
 hits=1326852003, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
 src ip=0.0.0.0, mask=0.0.0.0, port=0
 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xaeba0368, priority=20, domain=lu, deny=false
 hits=1339704475, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
 src ip=0.0.0.0, mask=0.0.0.0, port=0
 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (hosting-web-be,wan) 10.60.49.0 10.60.49.0 netmask 255.255.255.0
 match ip hosting-web-be 10.60.49.0 255.255.255.0 wan any
 static translation to 10.60.49.0
 translate_hits = 1, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xae8ae3c0, priority=5, domain=host, deny=false
 hits=2641036114, user_data=0xae8ade70, cs_id=0x0, reverse, flags=0x0, protocol=0
 src ip=10.60.49.0, mask=255.255.255.0, port=0
 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (hosting-web-be) 41 10.60.49.0 255.255.255.0
 match ip hosting-web-be 10.60.49.0 255.255.255.0 hosting-web-be any
 dynamic translation to pool 41 (No matching global)
 translate_hits = 7, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xae71e630, priority=1, domain=nat, deny=false
 hits=82747, user_data=0xae71e590, cs_id=0x0, flags=0x0, protocol=0
 src ip=10.60.49.0, mask=255.255.255.0, port=0
 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: hosting-web-be
input-status: up
input-line-status: up
output-interface: hosting-web-be
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
SGBACKFW(config)#
Can someone give idea?
07-17-2018 12:00 PM
To advice better can you post the running config to verify security levels.
BB
07-17-2018 01:39 PM
Security level of this interface is 0. Once again, both servers are on same subnet.
!
interface GigabitEthernet0/0
 description Connected to SGFRONTSW1 g1/0/2 and SGFRONTSW2 g2/0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.102
 vlan 102
 nameif vpn
 security-level 0
 ip address 10.60.2.4 255.255.255.0 standby 10.60.2.5
!
interface GigabitEthernet0/0.105
 vlan 105
 nameif san-mgmnt
 security-level 100
 ip address 10.60.5.1 255.255.255.0 standby 10.60.5.2
!
interface GigabitEthernet0/0.106
 vlan 106
 nameif shared-esx
 security-level 100
 ip address 10.60.6.1 255.255.255.0 standby 10.60.6.2
!
interface GigabitEthernet0/0.107
 vlan 107
 nameif shared-ad
 security-level 100
 ip address 10.60.7.1 255.255.255.0 standby 10.60.7.2
!
interface GigabitEthernet0/0.110
 vlan 110
 nameif wan
 security-level 75
 ip address 10.60.10.1 255.255.255.0 standby 10.60.10.2
!
interface GigabitEthernet0/0.218
 vlan 218
 nameif corp-web-mgmt
 security-level 100
 ip address 10.60.18.1 255.255.255.0 standby 10.60.18.2
!
interface GigabitEthernet0/0.225
 vlan 225
 nameif corp-be-mgmt
 security-level 100
 ip address 10.60.25.1 255.255.255.0 standby 10.60.25.2
!
interface GigabitEthernet0/0.334
 vlan 334
 nameif demo-web-mgmt
 security-level 100
 ip address 10.60.34.1 255.255.255.0 standby 10.60.34.2
!
interface GigabitEthernet0/0.341
 vlan 341
 nameif demo-be-mgmt
 security-level 100
 ip address 10.60.41.1 255.255.255.0 standby 10.60.41.2
!
interface GigabitEthernet0/0.450
 vlan 450
 nameif hosting-web-mgmt
 security-level 100
 ip address 10.60.50.1 255.255.255.0 standby 10.60.50.2
!
interface GigabitEthernet0/0.457
 vlan 457
 nameif hosting-be-mgmt
 security-level 100
 ip address 10.60.57.1 255.255.255.0 standby 10.60.57.2
!
interface GigabitEthernet0/1
 description Connected to SGBACKSW g1/1 - Web BackEnd Networks
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.15
 vlan 15
 nameif philly_p2p
 security-level 100
 ip address 10.15.15.2 255.255.255.248
!
interface GigabitEthernet0/1.69
 vlan 69
 nameif ccg-web-be
 security-level 0
 ip address 10.60.69.1 255.255.255.0 standby 10.60.69.2
!
interface GigabitEthernet0/1.81
 vlan 81
 nameif Apache-web-be
 security-level 0
 ip address 10.60.81.1 255.255.255.0 standby 10.60.81.2
!
interface GigabitEthernet0/1.91
 vlan 91
 nameif Apache-prod-be
 security-level 0
 ip address 10.60.91.1 255.255.255.0 standby 10.60.91.2
!
interface GigabitEthernet0/1.217
 vlan 217
 nameif corp-web-be
 security-level 0
 ip address 10.60.17.1 255.255.255.0 standby 10.60.17.2
!
interface GigabitEthernet0/1.333
 vlan 333
 nameif demo-web-be
 security-level 0
 ip address 10.60.33.1 255.255.255.0 standby 10.60.33.2
!
interface GigabitEthernet0/1.449
 vlan 449
 nameif hosting-web-be
 security-level 0
 ip address 10.60.49.1 255.255.255.0 standby 10.60.49.2
!
interface GigabitEthernet0/1.600
 description Akorn Web Back End
 vlan 600
 nameif Akorn-web-be
 security-level 0
 ip address 10.60.60.1 255.255.255.240
!
interface GigabitEthernet0/1.616
 description Cumberland Subnet
 vlan 616
 nameif ccg
 security-level 0
 ip address 10.60.60.17 255.255.255.240
!
interface GigabitEthernet0/2
 description Connected to SGBACKSW g1/2 - BackEnd Networks
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2.66
 description CCG Back end IP network (10.60.66.0/24)
 vlan 66
 nameif ccg-be
 security-level 100
 ip address 10.60.66.1 255.255.255.0 standby 10.60.66.2
!
interface GigabitEthernet0/2.224
 vlan 224
 nameif corp-be
 security-level 100
 ip address 10.60.24.1 255.255.255.0 standby 10.60.24.2
!
interface GigabitEthernet0/2.340
 vlan 340
 nameif demo-be
 security-level 100
 ip address 10.60.40.1 255.255.255.0 standby 10.60.40.2
!
interface GigabitEthernet0/2.456
 vlan 456
 nameif hosting-be
 security-level 100
 ip address 10.60.56.1 255.255.255.0 standby 10.60.56.2
!
interface GigabitEthernet0/2.632
 description Akorn Back end IP network (10.60.60.32/28)
 vlan 632
 nameif Akorn-be
 security-level 100
 ip address 10.60.60.33 255.255.255.240
!
interface GigabitEthernet0/2.800
 vlan 800
 nameif Server_Backup
 security-level 100
 ip address 10.173.1.193 255.255.255.192
!
interface GigabitEthernet0/2.900
 description Sungard VRR IP network (10.60.90.x/29)
 vlan 900
 nameif Sungard-DR
 security-level 100
 ip address 10.60.90.4 255.255.255.248
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.60.0.1 255.255.255.0 standby 10.60.0.2
!
interface GigabitEthernet1/0
 description Connected to SGBACKSW g1/3 - Legacy Networks
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0.401
 vlan 401
 nameif hosting-legacy1
 security-level 0
 ip address 216.203.51.202 255.255.255.240
!
interface GigabitEthernet1/0.403
 vlan 20
 nameif hosting-legacy3
 security-level 0
 ip address 10.128.54.169 255.255.255.240
!
interface GigabitEthernet1/0.404
 vlan 30
 nameif hosting-legacy4
 security-level 0
 ip address 10.128.144.249 255.255.255.224
!
interface GigabitEthernet1/1
 description Connected to SGBACKSW g1/4 - Backend Shared Networks
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1.101
 vlan 101
 nameif transit
 security-level 0
 ip address 10.60.1.1 255.255.255.0 standby 10.60.1.2
!
interface GigabitEthernet1/1.104
 vlan 104
 nameif san
 security-level 100
 ip address 10.60.4.1 255.255.255.0 standby 10.60.4.2
!
interface GigabitEthernet1/1.120
 description NetApp SAN Backend Network 10.131.195.0/27
 vlan 120
 nameif san-netapp
 security-level 0
 ip address 10.131.195.1 255.255.255.224
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
07-18-2018 08:05 AM
Has anyone an idea about this issue? Please advise.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide