Solved: Routing with ASA 5506-X for Noobs

Deepspace · ‎10-18-2018

So please forgive my noob question, but I can't wrap my mind about this network problem.

I have a very simple setup.

Network 1 (outside) connected to Cisco ASA 5506-X and Network 2 (inside). On Network 1 there is "PC 1" with the IP 139.27.60.161/24 and is connected to Port 1 of the ASA which has IP 139.27.60.160/24. On Network 2 there is "PC 2" with the IP 172.16.170.110/24 and is connected to Port 2 of the ASA which has the IP 172.16.170.200/24.
Before I want to add all the specific firewall rules I want the basic routing function to work.

The interfaces of the ASA have their IP's. As I understood it there is nothing else I need to do in the settings of ASA to enable routing (apart from assign the IPs).

What I tried to do, was to Ping "PC 2" in Network 2 from "PC 1" in Network 1. "PC 2" has as Gateway the IP address of the ASA (139.27.60.160). Pinging in this direction worked. "PC 2" does have already a Gateway address (172.16.170.1). So I added a route "route add 139.27.160.0/24 172.16.170.200". But the Ping "PC 1" from "PC 2" still doesn't work.

Any suggestions where my error is?

Deepspace · ‎10-23-2018

Thanks to everyone for the help! :)

It appears that I just missed another route entry on one of the windows machines.

I also changed around the inside and outside network so that outside is on Port 1.

View solution in original post

Seb Rupik · ‎10-18-2018

Hi there,

PC2 is routed on interface Gi1/2, which has a security-level of 0. It is trying to reach PC1 which is on a higher-security level interface.

For this reason you will need to explicitly permit the traffic flow with an ACL applied inbound on Gi1/2 .

cheers,

Seb.

paul driver · ‎10-18-2018

Hello

Can you confirm - Maybe I have mis-interpreted what you have posted but you say an internal pc cannot ping an external pc but the external pc can ping the internal, If anything I would have expected the other way around to work only if you allowed echo-reply to enter your fw from the outside as I think @Seb Rupik highlighted?

Can you post the config of the firewall please?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Alan Ng'ethe · ‎10-18-2018

As mentioned by Rupik, you have a security level 100 on the 'outside' interface and 0 on the 'inside' interface.

Remember the following rules:

-Traffic from a higher security interface to a lower security interface is allowed by implicit rules , by default

-Lower to higher will require an explicit rule to allow traffic

-Same security interfaces, traffic denied by default unless allowed using the command same-security-traffic permit inter-interface

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

Deepspace · ‎10-23-2018

Thanks to everyone for the help! :)

It appears that I just missed another route entry on one of the windows machines.

I also changed around the inside and outside network so that outside is on Port 1.