10-12-2015 05:47 AM - edited 03-11-2019 11:44 PM
I am trying to pass traffic across 2 interfaces with the same security levels and I can't seem to get it to work past the Firewall its self. I can ping across the firewall to the other network, but I can't get this to function from a network PC. I am running and ASA 5505, and I have enter the same-security commands as well.
Any help would be appreciated.
10-12-2015 01:03 PM
Hi,
From the configuration it looks like 'nat-control's is enabled and it is dropping as there is no nat for the traffic.
I could see that you have configured nat-exemption for inside network. Please use the below command :
access-list inside_nat0_outbound line 1 extended permit ip 192.168.153.0 255.255.255.0 192.168.169.0 255.255.0.0
It should work.
Rate if it helps!
Regards,
Akshay Rastogi
10-14-2015 12:05 PM
Tried that and it didn't work.
10-14-2015 12:48 PM
Hi,
Please provide the output of :
packet-tracer input inside tcp 192.168.153.x 12345 192.168.169.x 12345 det
packet-tracer input inside1 tcp 192.168.169.x 23343 192.168.153.x 22212 det
Regards,
Akshay Rastogi
10-15-2015 12:33 PM
10-15-2015 01:00 PM
Hi,
Are these packet-tracer output taken after the access-list i asked to add?
Also, i could see that you ran packet-tracer for destination 192.168.168.x. I believe your concerned traffic was '192.168.169.x' ?
It says it is dropped at Access-list level. For testing purpose please add 'permit ip any any' on both the interfaces (153 and 169)
Regards,
Akshay Rastogi
10-15-2015 01:24 PM
10-15-2015 05:43 AM
Hi,
Could you also provide the output from these commands:
cap cap_probe type asp-drop all
cap cap_inside match ip host 192.168.153.x host 192.168.169.x
cap cap_inside1 match ip host 192.168.169.x host 192.168.153.x
And try to enable icmp inspection
policy-map global_policy
class inspection_default
inspect icmp
Regards,
Ergin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: