Is this a physical or virtual

pgyogeshkumar · ‎01-19-2016

I am facing issue with ASA

Traffic from Inside towards Outside interface is not working properly.

1. If I ping Lan device to Inside interface of ASA (Locally Connected) I am getting replies.

2. But if I ping LAN device to Outside interface of ASA then I no reply ..Even in debug icmp trace command I couldnt see the traffic is hitting firewall. ACLs have been implemented correctly and global policy as well allowed with inspect icmp.

3. If I ping Lan device to Outside network IP then as well no reply. But I could see the request hitting firewall using debug icmp trace command but not replies seen in ASA.

Not sure where the issue is blocked in ASA. Need help in investigating this.

No other major configurations placed. This is new ASA as such.

Philip D'Ath · ‎01-19-2016

(1) Good.

(2) Would normally fail.

Is only ICMP affected? If so, have you enabled icmp and icmp error inspection?

Otherwise you probably have a nat or access-list issue, or maybe even a missing default route on the ASA.

Does anything interesting appear in the ASA log?

I really need to see the config to figure it out.

pgyogeshkumar · ‎01-20-2016

Hi Phil

Only icmp is required for now to check end to end connectivity and thats failing

I have allowed icmp in inspection

Access list as well configured with permit all and applied in interface.

Attaching config of ASA device

Philip D'Ath · ‎01-20-2016

You have restricted the traffic in and out of each interface:

access-group 100 in interface outside
access-group 100 out interface outside
access-group 101 in interface inside
access-group 101 out interface inside

Perhaps try only doing it inbound (this is how people normally configure ASA's):

access-group 100 in interface outside
access-group 101 in interface inside

And lets make sure access lists super simple to begin with:

access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any

pgyogeshkumar · ‎01-20-2016

Still the same issue.

I havent blocked the traffic as such with ACL ..All I did was apply that in outbound with permits and no denies.

Can you please confirm if a packet with ethernet header with VLAN information passes through ASA...will that VLAN information be removed automatically ? or it will pass along with that vlan information ?

this would help me identifying the issue

Thanks in advance

Philip D'Ath · ‎01-20-2016

Is this a physical or virtual ASA?

Are you operating it in transparent mode?

Jon Marshall · ‎01-20-2016

It can't be transparent as interfaces are in different IP subnets.

Jon

Jon Marshall · ‎01-20-2016

It won't pass along vlan information and there would only be vlan information if the connection was a trunk.

Are the default gateways of the end clients on either side of the firewall set to the corresponding ASA IP addresses ?

Have you tried running packet tracer ?

Jon

pgyogeshkumar · ‎01-20-2016

Adding on to troubleshooting progress,

1. ICMP Echo is getting passed from inside to outside and outside to inside interfaces. This confirmed with Access list match count increase

2. ACL match count is not increasing for permitting echo-reply in the access list.

Looks like echo-reply is being dropped by some other mechanism by ASAv and hence its not matching the access list which I configured.

I can ping successfully from Outside interface to any IPs learnt from outside network.

I can also ping successfully from inside interface to any IPs learnt from inside network.

However ACLs match count do not increase for these successful pings. Guess its only for the traffic thats passing through.

Need help in resolving this issue on why the echo-reply is not seen in ACL match count. and what are all the possibilities to eradicate the problem so as to get echo-reply allowed in ASA so as to match the increased count in ACL.

ASA issue from Inside to Outside network