07-28-2018 12:10 PM - edited 02-21-2020 08:01 AM
I am new to Firewalls and have been working with them just for 6 months. I am currently trying to configure an ASA 5515X with Firepower (whatever that means).
I want to use this firewall as the default gateway for all LAN traffic. I am experienced with routers and with the routers I just have to create subinterfaces on the physical interface and connect it to the core switch as a trunk and that's it. I have done the same with the firewall but I cannot pass traffic between the subinterfaces, I can ping from a host on any subinterface which all have security-leve 100 to the Router (which has the ISP link) through the Outside interface, which has security-leve 0.
I have reset the firewall to its factory defaults (several times) and I have only configured the subinterfaces with an ip address, security level 100, gave them a meaningful nameif and their corresponding VLAN ID. I also configured a default gateway and the inspect icmp under the global policy and the same-security-traffic permit inter/intra-interface command, but even with this most basic configuration I cannot ping from a host on one subinetrface to another subinterface. From any host I can ping its default gateway, this ensures I have connectivity through the local LAN switch, and as I said before I can ping through the outside interface but not between subinterfaces with the same security leveL.
I appreciate any thoughts or ideas.
A
07-28-2018 04:27 PM
Hello A,
Good job on the intra/inter interface sysopts. It's usually the first tripping stone.
I would issue a packer-tracer with your host ips and the detailed keyword and see how the firewall is treating your packet.
I know one thing that might stop this, depending on your code version, could be a missing NAT exemption. This is more of a problem in 8.x code but I have seen it. Packet-tracer will tell you if that is the case.
Something like:
packet-tracer input dmz icmp 8 0 192.168.1.14 10.0.0.16 detailed
If the reason doesn't immediately jump out at you, feel free to post it here and we can take a look also.
-A
07-29-2018 03:29 AM
07-28-2018 04:41 PM
Share a sanitized version of your config if possible.
You have to enable the "same-security-traffic permit inter-interface" feature if you want to pass traffic between 2 different interfaces with the same security level. This is not enabled by default.
Another option is to reduce the security level of 1 interface to something less than 100.
07-29-2018 03:15 AM
07-28-2018 06:38 PM
07-29-2018 03:21 AM
08-01-2018 07:21 AM
Thank you all who replied to my post.
After spending two more days trying to figure this out, it turned out that I cannot ping the firewall address from another subinterface basically. I can only ping from host to host between subinterfaces.
When I initally pinged from host to host I had a number of ACLs and nat statements taht may have prevented me from doing this.
After reseting the firewall one more time to its default values I only configured it with the following:
Once again thank you but the problem is now resolved.
08-01-2018 01:29 PM
Thanks for posting back to the forum to let us know that the problem is resolved and for sharing what you did that provided the solution. We are glad to try to provide solutions to problems presented in the forum. But we are especially glad when the person who presented the problem is able to find their own solution. +5 to you for achieving that.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide