Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
0
Helpful
3
Replies

Access-list problem

Kevin Cummins
Level 1
Level 1

‎03-21-2013 05:21 AM - edited ‎03-04-2019 07:21 PM

Hello all,

I am having an issue with access lists on an ASA..

Not too familiar with ASA's, but the I can't ping from the internal network to another network I have set by static route.

Pinging to an item in the other network is fine from the local ASA.

Below  is the config and packet tracer output:

interface Ethernet0/0

no nameif

no security-level

no ip address

!

interface Ethernet0/1

nameif outside

security-level 0

pppoe client vpdn group EDIT-PPP

ip address 222.222.222.44 255.255.255.255 pppoe setroute

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 10.102.4.250 255.255.255.0

!

interface Ethernet0/2.1

vlan 1

nameif internal

security-level 100

no ip address

!

interface Ethernet0/3

nameif checkpoint

security-level 100

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name test.com

same-security-traffic permit inter-interface

object network inside-net

subnet 10.102.4.0 255.255.255.0

object network vpn-subnets

subnet 10.1.0.0 255.255.0.0

access-list nonat extended permit ip 10.102.4.0 255.255.255.0 10.1.0.0 255.255.0.0

pager lines 24

logging enable

logging trap informational

logging history notifications

logging asdm informational

mtu management 1500

mtu outside 1454

mtu inside 1500

mtu internal 1500

mtu checkpoint 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static inside-net inside-net destination static vpn-subnets vpn-subnets

!

object network inside-net

nat (inside,outside) dynamic interface

route inside 10.1.0.0 255.255.0.0 10.102.4.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group EDIT-PPP request dialout pppoe

vpdn group EDIT-PPP localname

test@test.com

vpdn group EDIT-PPP ppp authentication pap

vpdn username

test@222.222.222.44@test.com

password *****

dhcpd dns 10.102.4.15 222.222.222.1

dhcpd wins 10.102.4.15 10.1.10.5

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 10.102.4.30-10.102.4.199 inside

dhcpd domain test.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

packet-tracer input inside icmp 10.102.4.128 0 8 10.1.10.80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.0.0        255.255.0.0     inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
3 Replies 3

paolo bevilacqua
Hall of Fame
Hall of Fame

‎03-22-2013 12:55 AM

Wrong forum, post in security. You can move your post using the actions panel on the right.

0 Helpful

rkirkeby
Level 1
Level 1
In response to paolo bevilacqua

‎03-22-2013 02:14 PM

Do you mean from Internal as in the sub interface 0/2.1 ? to inside as interface 0/2 ?

0 Helpful

Kevin Cummins
Level 1
Level 1
In response to rkirkeby

‎03-22-2013 07:07 PM

Inside, as in interface 0/2

There is another router on the inside interface that I am trying to route users to. (at 10.102.4.1)

Both the clients and router are connected via the same switch. (Not L3)

Like this:

           ASA

             |

         Switch

        /         \

    Clients    Router

I have no access to change the settings on the other router.

I can ping it from this ASA, but can get client traffic to go.

Do I need a same security traffic permit intra interface command in there?

0 Helpful
Customers Also Viewed These Support Documents