Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1000
Views
0
Helpful
3
Replies

Cisco ASA interface not communicating with each other

john
Level 1
Level 1

‎06-15-2017 07:29 PM - edited ‎03-08-2019 10:59 AM

Hello ALL,

i need help on how to make the 2 firewall interfaces to communicate with other and to enable ping.

interface GigabitEthernet0/1
 nameif C4_LAN
 security-level 0
 ip address 172.16.17.1 255.255.255.0
!
interface GigabitEthernet0/2
 description from TPLINK ROUTER
 nameif RSSC4_LAN
 security-level 100
 ip address 172.16.19.254 255.255.255.252

picture attached

thank you.

John

Labels:
Preview file
34 KB
0 Helpful
3 Replies 3

cofee
Level 5
Level 5

‎06-15-2017 07:59 PM

John,

By default tcp and udp traffic is allowed from a higher security interface to a lower security interface, but not vice versa. In your current topology you should be able to telnet from a device that's behind RSSC4_LAN to a device that's behind C4_LAN without any access lists (any tcp/udp traffic). Any traffic that is initiated by host that is connected to a lower security interface has to be explicitly allowed using an acl.

But any other traffic that doesn't use tcp or udp for transport will be dropped even if traffic is initiated from a higher security interface. Actually, outbound traffic will make it through the firewall but return traffic will be dropped since besides tcp/udp no other transport protocol is inspected by the firewall. Like I already mentioned ICMP outbound traffic from higher to lower will make it through the firewall but return traffic will be dropped as ASA doesn't inspect icmp by default. So you will either need to change the default behavior of firewall by updating the global policy to inspect icmp or any other protocol that's not inspected by default so ASA can allow the traffic by using connection table or the second option is to explicitly allow return traffic by using ACLs.

Traffic from outside to inside in other words from lower to higher security zone can only be allowed by using ACLs.

0 Helpful

john
Level 1
Level 1
In response to cofee

‎06-15-2017 08:29 PM

Hi,

For example i create an acl and make the interface same security level 100

Access-list c4_lan_access extended permit ip any any log

Access-list rss_lan_access extended permit ip any any log

Then apply it to the access groupcan they telnet back to back?

I also add the inspect icmp to the global policy but still cannot ping devices from rss to c4 and vice versa.

Can you advise the commands

Regards,

John

0 Helpful

cofee
Level 5
Level 5
In response to john

‎06-16-2017 04:17 AM

Well if both interfaces have the same security level then you don't even need ACLs and command below can be used if you want to allow all traffic between them.

same-security-traffic permit inter-interface

With your current configuration things should work based on your explanation. The only other thing would be to check routing on ASA and layer 3 devices connected to ASA. Make sure that switch has a route to 192.168.8.0/24 and router has a route 172.16.17.0/24 network, or you can just configure a default gateway on switch and router pointing towards firewall. If you continue to have issues please share running configuration of asa/switch and router. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card