01-20-2012 01:15 PM - edited 03-07-2019 04:28 AM
I have a simple network pictured above. The Firewalls are ASA5505's.
I have it setup just like the picture. THe left ASA has an ISP and is the default gateway of the 10.10.4.0 net.
The right ASA is the default gatewy for the 172.16.7.0 net, and has a seperate ISP connection.
I wanted to connect the networks(I had the oppurtunity), so I created a new interface on the right ASA and gave it an IP on the 10.10.4.0 net.
I created the same-sec intra and inter commands, and created a static route statment on the left ASA.
The switches are dumb(No layer 2 or layer 3 configs)
I can ping across, anhy host to any host. Both ways, no questions asked.
I cannot get any other service to work, no RDP, no CIFS, SAMBA, HTTP, no nothing. I have no idea what I may be missing.
01-20-2012 01:17 PM
I should note that the ASA's have no access-lists configured for any interface, just the defaults. The only access lists configure are the outside_acces_in lists for NAT and firewall purposes.
I have even gone through and added ip any any rules on all interfaces with no luck.
01-20-2012 02:43 PM
Based on what little information you provided, my best guess is that the traffic might be subject to nat in any direction on any of the two ASA's.
You probably have already found the link below which covers the topic quite extensively from a troubleshooting angle:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#intro
regards,
Leo
01-20-2012 02:44 PM
Hi Arvinder,
Can you please post the out of the following from both the Firewalls :-
sh run interface
sh route
sh int ip bri
Manish
05-12-2012 07:24 AM
Just want to help answer my posts. I found the answer for this. What's happening is that the ASA see's the TCP traffic going there, but the router sends it straight to the host on the return, therefore, the ASA doesn't see the correct tcp sequence, and kills the connection.
I worked around this using a feature called TCP-State-Bypass. You can find more details on it using this doc:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
Just want to make sure for those googling, that there is an answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide