Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
220
Views
1
Helpful
11
Replies

ASA 5512X and Sophos

Go to solution
manojyesh
Level 1
Level 1

‎01-18-2025 09:15 PM

Dear Team,

Greetings,

I have an ASA 5512X with three interfaces. Two of these interfaces have a Class C subnet: one with the IP address 192.168.0.0/24, assigned to VLAN 1 (the native VLAN), and another with the IP address 192.168.70.0/24, assigned to VLAN 2 for voice. The third interface is configured with a newly created Class B subnet 172.16.15.0/24, assigned to VLAN 15. All interfaces are physical; there are no subinterfaces or VLANs configured directly on the ASA.

The VLANs (VLAN 1, VLAN 2, and VLAN 15) are created on both an Aruba switch and a Linksys switch, and communication for voice (VLAN 2) and data (VLAN 1) is functioning properly. The ASA's Ge0/0 port is connected to a Sophos UTM device, which in turn connects directly to the Linksys switch on port 44 with the IP address 192.168.0.250/24. The Aruba and Linksys switches are directly interconnected.

The ASA configuration appears to be correct, as I can ping the Class B subnet. A laptop connected to another port on Aruba switch can also ping from the 192.168.0.0/24 subnet to the Class B subnet, which has the laptop with IP address 172.16.15.17/24. However, I am unable to ping back to the 192.168.0.0/24 subnet from the laptop. At the same time, I can ping the 192.168.70.0/24 subnet from the laptop without any issues.

Is Sophos is a problem here?

Pleas guide and help what can be the issue.

Thankyou.

Manoj.Y

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vishalbhandari
Spotlight
Spotlight
In response to manojyesh

‎01-21-2025 06:41 PM

@manojyesh It seems the Sophos in bridge mode is partially configured to allow traffic. Since you can reach the Sophos IP (172.16.15.250/24) but not ping beyond to the 192.168.0.0/24 subnet, the issue might be with routing or firewall rules. Ensure there’s a proper route for traffic from 172.16.15.0/24 to 192.168.0.0/24 and verify if the firewall rules allow ICMP traffic across subnets. Additionally, check the Sophos logs to confirm if it’s blocking or misrouting the traffic. You’re close—focus on firewall rules and routing.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
MHM Cisco World
VIP
VIP

‎01-18-2025 11:59 PM

What is level of Asa interface??

MHM

0 Helpful

Go to solution
manojyesh
Level 1
Level 1
In response to MHM Cisco World

‎01-19-2025 12:53 AM

The level of ASA interface is access to Aruba and Linksys switch.

I have one outside interface to modem linsys router security level 0

and all other physical interface are inside security-level 100 with same security permit inter and intra interface

Is this the question you asking ?

Go to solution
MHM Cisco World
VIP
VIP
In response to manojyesh

‎01-19-2025 01:01 AM

Use capture in interface to see if ASA receive icmp requests 

MHM

0 Helpful

Go to solution
manojyesh
Level 1
Level 1
In response to manojyesh

‎01-19-2025 01:46 AM

Hi,

This is the packets i recieved from the laptop subnet 172.16.15.15/24 to host pc on 192.168.0.65/24 when i put on asa capture.I am able to ping from 192.168.0.65/24 to 172.16.15.15/24.

 

ciscoasa(config)# capture lantwo interface lantwo match icmp host 172.16.15.1$
ciscoasa(config)# sh capture
capture lantwo type raw-data interface lantwo [Capturing - 180 bytes]
match icmp host 172.16.15.15 host 192.168.0.65
ciscoasa(config)# sh capture lantwo

8 packets captured

1: 13:32:32.175650 172.16.15.15 > 192.168.0.65: icmp: echo request
2: 13:32:36.933225 172.16.15.15 > 192.168.0.65: icmp: echo request
3: 13:32:41.937176 172.16.15.15 > 192.168.0.65: icmp: echo request
4: 13:32:46.935345 172.16.15.15 > 192.168.0.65: icmp: echo request
5: 13:32:51.936841 172.16.15.15 > 192.168.0.65: icmp: echo request
6: 13:32:56.939343 172.16.15.15 > 192.168.0.65: icmp: echo request
7: 13:33:01.918287 172.16.15.15 > 192.168.0.65: icmp: echo request
8: 13:33:06.940777 172.16.15.15 > 192.168.0.65: icmp: echo request
8 packets shown
ciscoasa(config)#

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to manojyesh

‎01-19-2025 02:02 AM

There is only icmp request there is no reply.

I will send you PM for other point to check

MHM

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to manojyesh

‎01-19-2025 03:41 AM - edited ‎01-19-2025 03:42 AM

Hello
Ine thing to note - if you are ping towards windows pc then make sure the software fw of that pc is turned off or it allowed for echo-reply as by default windows software firewall prohibits echo reply  meaning you can ping from the pc but not towards it


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
paul driver
VIP
VIP

‎01-19-2025 01:28 AM - edited ‎01-19-2025 01:28 AM

Hello
Post a topology diagram on how this is physically connected 
Also you mention class b subnet /16 but you show all /24 addressing is this correct.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
vishalbhandari
Spotlight
Spotlight

‎01-20-2025 09:19 AM

@manojyesh 

The issue seems to be related to the Sophos UTM device. Since the 192.168.0.0/24 subnet is routed through Sophos (connected via Ge0/0 on the ASA), it’s likely that Sophos is not properly routing or allowing return traffic from the 172.16.15.0/24 subnet to the 192.168.0.0/24 subnet.

Check the routing table and firewall rules on the Sophos UTM to ensure it has a route back to the 172.16.15.0/24 network via the ASA and that no policies are blocking the return traffic. Also, confirm that NAT rules on the Sophos device aren’t interfering with the traffic. Since the 192.168.70.0/24 subnet works, the issue seems isolated to how Sophos handles traffic from 172.16.15.0/24 destined for 192.168.0.0/24.

0 Helpful

Go to solution
manojyesh
Level 1
Level 1
In response to vishalbhandari

‎01-21-2025 12:41 AM

Hi Vishal,

The sophos is on the bridge mode and yes the sophos is blocking the traffic.So created a vlan under bridge mode and allowed a firewall rule from wan to lan and when applied i able to reach sophos ip 172.16.15.250/24 but then not going through further from icmp ping from 172.16.15.0/24 to any ip on 192.168.0.0/24 subnet.relooking around the topology.i assume i am near but somewhere its holding.

Regards

 

0 Helpful

Go to solution
vishalbhandari
Spotlight
Spotlight
In response to manojyesh

‎01-21-2025 06:41 PM

@manojyesh It seems the Sophos in bridge mode is partially configured to allow traffic. Since you can reach the Sophos IP (172.16.15.250/24) but not ping beyond to the 192.168.0.0/24 subnet, the issue might be with routing or firewall rules. Ensure there’s a proper route for traffic from 172.16.15.0/24 to 192.168.0.0/24 and verify if the firewall rules allow ICMP traffic across subnets. Additionally, check the Sophos logs to confirm if it’s blocking or misrouting the traffic. You’re close—focus on firewall rules and routing.

0 Helpful

Go to solution
manojyesh
Level 1
Level 1
In response to vishalbhandari

‎01-23-2025 03:44 AM

Dear Vishal and Team,

Yes, its successfully done.Now i am able to ping bidirectional.Created a LAN-LAN firewall rule inside sophos which worked out.

Thankyou for the support and guidance.

Regards

Manoj

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card