Re: Problem with traffic between 2 interfaces - Page 2

gasparmenendez · ‎08-31-2017

Hi folks,

I'm having trouble with traffic between different subnets connected to different interfaces. In interface CARRIERS is connected a server with ip address 10.227.224.11 and in interface INSIDE_Prueba I have connected my PC with ip address 192.168.199.30. I can't ping from my PC to the server, it doesn't answer. However, I can see in my ASA's ASDM (5580 8.4(5) and Device Manager Version 7.1(1)52) the Hit counter increasing when I send ping. Here's what I configured:

access-list INSIDE_Prueba_access_out extended permit ip 10.227.224.0 255.255.252.0 any (here's where the counter increases)

and

access-list CARRIERS_access_out extended permit ip 192.168.199.0 255.255.255.0 10.227.224.0 255.255.252.0

Can anybody help me please??

Thanks in advance.

Flavio Miranda · ‎09-01-2017

.

gasparmenendez · ‎09-02-2017

here's capture in the other way:

gaspar@gaspar-Lenovo-ideapad-310-15ISK ~ $ sudo tcpdump -i enp1s0 | grep 10.227.224.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:49:56.454958 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1239, length 40
13:49:56.454976 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1239, length 40
13:49:57.487287 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1240, length 40
13:49:57.487306 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1240, length 40
13:49:58.519610 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1241, length 40
13:49:58.519624 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1241, length 40
13:49:59.566572 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1242, length 40
13:49:59.566596 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1242, length 40
13:50:00.598874 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1243, length 40
13:50:00.598911 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1243, length 40
13:50:01.632839 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1244, length 40
13:50:01.632855 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1244, length 40
13:50:02.667957 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1245, length 40
13:50:02.667987 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1245, length 40
13:50:03.701705 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1246, length 40
13:50:03.701734 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1246, length 40
13:50:04.738270 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1247, length 40
13:50:04.738287 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1247, length 40
13:50:05.770705 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1248, length 40
13:50:05.770744 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1248, length 40
13:50:06.803582 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1249, length 40
13:50:06.803597 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1249, length 40
13:50:07.835389 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1250, length 40
13:50:07.835402 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1250, length 40
13:50:08.869768 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1251, length 40
13:50:08.869800 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1251, length 40
13:50:09.904622 IP 10.227.224.8 > 192.168.199.30: ICMP echo request, id 1, seq 1252, length 40
13:50:09.904647 IP 192.168.199.30 > 10.227.224.8: ICMP echo reply, id 1, seq 1252, length 40
^C139 packets captured
160 packets received by filter
0 packets dropped by kernel
9 packets dropped by interface

Thanks.

Flavio Miranda · ‎09-02-2017

My las shot man.

Apply this:

same-security-traffic permit inter-interface

gasparmenendez · ‎09-04-2017

Hi friend,

here's ping from 10.227.224.8 to 192.168.199.30 (ASA's ASDM):

6|Sep 04 2017|10:24:34|302015|192.168.199.30|50633|216.58.219.35|443|Built outbound UDP connection 1061824194 for OUTSIDE:216.58.219.35/443 (216.58.219.35/443) to INSIDE_Prueba:192.168.199.30/50633 (170.X.X.2/50633)
6|Sep 04 2017|10:24:34|305011|192.168.199.30|50633|170.X.X.2|50633|Built dynamic UDP translation from INSIDE_Prueba:192.168.199.30/50633 to OUTSIDE:170.X.X.2/50633
6|Sep 04 2017|10:24:34|302013|192.168.199.30|44288|216.58.219.35|443|Built outbound TCP connection 1061824192 for OUTSIDE:216.58.219.35/443 (216.58.219.35/443) to INSIDE_Prueba:192.168.199.30/44288 (170.X.X.2/44288)
6|Sep 04 2017|10:24:34|305011|192.168.199.30|44288|170.X.X.2|44288|Built dynamic TCP translation from INSIDE_Prueba:192.168.199.30/44288 to OUTSIDE:170.X.X.2/44288
6|Sep 04 2017|10:24:34|302016|209.244.0.3|53|192.168.199.30|54863|Teardown UDP connection 1061824150 for OUTSIDE:209.244.0.3/53 to INSIDE_Prueba:192.168.199.30/54863 duration 0:00:00 bytes 110
6|Sep 04 2017|10:24:34|302015|192.168.199.30|54863|209.244.0.3|53|Built outbound UDP connection 1061824150 for OUTSIDE:209.244.0.3/53 (209.244.0.3/53) to INSIDE_Prueba:192.168.199.30/54863 (170.X.X.2/54863)
6|Sep 04 2017|10:24:27|302013|192.168.199.30|54220|54.152.171.205|443|Built outbound TCP connection 1061818984 for OUTSIDE:54.152.171.205/443 (54.152.171.205/443) to INSIDE_Prueba:192.168.199.30/54220 (170.X.X.2/16236)
6|Sep 04 2017|10:24:27|305011|192.168.199.30|54220|170.X.X.2|16236|Built dynamic TCP translation from INSIDE_Prueba:192.168.199.30/54220 to OUTSIDE:170.X.X.2/16236
6|Sep 04 2017|10:24:27|302016|209.244.0.3|53|192.168.199.30|54863|Teardown UDP connection 1061818924 for OUTSIDE:209.244.0.3/53 to INSIDE_Prueba:192.168.199.30/54863 duration 0:00:00 bytes 376
6|Sep 04 2017|10:24:27|302015|192.168.199.30|54863|209.244.0.3|53|Built outbound UDP connection 1061818924 for OUTSIDE:209.244.0.3/53 (209.244.0.3/53) to INSIDE_Prueba:192.168.199.30/54863 (170.X.X.2/54863)
6|Sep 04 2017|10:24:27|302013|192.168.199.30|58414|35.201.97.85|443|Built outbound TCP connection 1061818687 for OUTSIDE:35.201.97.85/443 (35.201.97.85/443) to INSIDE_Prueba:192.168.199.30/58414 (170.X.X.2/58414)
6|Sep 04 2017|10:24:27|305011|192.168.199.30|58414|170.X.X.2|58414|Built dynamic TCP translation from INSIDE_Prueba:192.168.199.30/58414 to OUTSIDE:170.X.X.2/58414
6|Sep 04 2017|10:24:27|302016|209.244.0.3|53|192.168.199.30|54863|Teardown UDP connection 1061818651 for OUTSIDE:209.244.0.3/53 to INSIDE_Prueba:192.168.199.30/54863 duration 0:00:00 bytes 236

this ping is working fine.

Now the ping from 192.168.199.30 to 10.227.224.8 (ASA's ASDM):

4|Sep 04 2017|10:31:46|313004|||||Denied ICMP type=0, from laddr 10.227.224.8 on interface CARRIERS to 192.168.199.30: no matching session
6|Sep 04 2017|10:31:46|302020|10.227.224.8|0|192.168.199.30|4929|Built inbound ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
6|Sep 04 2017|10:31:46|302021|10.227.224.8|0|192.168.199.30|4929|Teardown ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
4|Sep 04 2017|10:31:45|313004|||||Denied ICMP type=0, from laddr 10.227.224.8 on interface CARRIERS to 192.168.199.30: no matching session
6|Sep 04 2017|10:31:45|302020|10.227.224.8|0|192.168.199.30|4929|Built inbound ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
6|Sep 04 2017|10:31:45|302021|10.227.224.8|0|192.168.199.30|4929|Teardown ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
4|Sep 04 2017|10:31:44|313004|||||Denied ICMP type=0, from laddr 10.227.224.8 on interface CARRIERS to 192.168.199.30: no matching session
6|Sep 04 2017|10:31:44|302020|10.227.224.8|0|192.168.199.30|4929|Built inbound ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
6|Sep 04 2017|10:31:44|302021|10.227.224.8|0|192.168.199.30|4929|Teardown ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
4|Sep 04 2017|10:31:43|313004|||||Denied ICMP type=0, from laddr 10.227.224.8 on interface CARRIERS to 192.168.199.30: no matching session
6|Sep 04 2017|10:31:43|302020|10.227.224.8|0|192.168.199.30|4929|Built inbound ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
6|Sep 04 2017|10:31:43|302021|10.227.224.8|0|192.168.199.30|4929|Teardown ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
4|Sep 04 2017|10:31:42|313004|||||Denied ICMP type=0, from laddr 10.227.224.8 on interface CARRIERS to 192.168.199.30: no matching session
6|Sep 04 2017|10:31:42|302020|10.227.224.8|0|192.168.199.30|4929|Built inbound ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
6|Sep 04 2017|10:31:42|302021|10.227.224.8|0|192.168.199.30|4929|Teardown ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
4|Sep 04 2017|10:31:41|313004|||||Denied ICMP type=0, from laddr 10.227.224.8 on interface CARRIERS to 192.168.199.30: no matching session
6|Sep 04 2017|10:31:41|302020|10.227.224.8|0|192.168.199.30|4929|Built inbound ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
6|Sep 04 2017|10:31:41|302021|10.227.224.8|0|192.168.199.30|4929|Teardown ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929
4|Sep 04 2017|10:31:40|313004|||||Denied ICMP type=0, from laddr 10.227.224.8 on interface CARRIERS to 192.168.199.30: no matching session
6|Sep 04 2017|10:31:40|302020|10.227.224.8|0|192.168.199.30|4929|Built inbound ICMP connection for faddr 10.227.224.8/0 gaddr 192.168.199.30/4929 laddr 192.168.199.30/4929

maybe that helps...???

anyway regarding what you suggest about same-security-traffic I don't see the point since all my interfaces have different security levels, but I try it anyway.

Thanks.

Flavio Miranda · ‎09-04-2017

Denied ICMP type=0, from laddr 10.227.224.8 on interface CARRIERS to 192.168.199.30: no matching session

Try to allow ICMP on the rules.

Which kind of access do you intend to perform? For TCP/UDP must be working...

gasparmenendez · ‎09-04-2017

not working....I'll continue looking for help

Thanks.

Flavio Miranda · ‎09-04-2017

I think I know what´s wrong. You may have not inspection enable.

Take a look with the command :

show run policy-map

If you dont have inspect icmp, then, run this:

policy-map global_policy
class inspection_default
inspect icmp

gasparmenendez · ‎09-05-2017

I think I have:

ASA5580# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!

??????

any more ideas???

thanks.

gasparmenendez · ‎09-05-2017

according to packet-trace everything is ok:

ASA5580# Packet-tracer input inside_prueba icmp 192.168.199.30 8 0 10.227.224.8

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.227.224.0    255.255.252.0   CARRIERS

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_Prueba_access_in in interface INSIDE_Prueba
access-list INSIDE_Prueba_access_in extended permit ip object 192.168.199.0 any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CARRIERS_access_out out interface CARRIERS
access-list CARRIERS_access_out extended permit ip any 10.227.224.0 255.255.252.0
Additional Information:

Phase: 11
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1141115336, packet dispatched to next module

Result:
input-interface: INSIDE_Prueba
input-status: up
input-line-status: up
output-interface: CARRIERS
output-status: up
output-line-status: up
Action: allow

Problem with traffic between 2 interfaces, Still no solution...