Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
226
Views
0
Helpful
1
Replies

Routing problems with ASA Firewall (LAN), not with 3750X

Joris Syen
Level 1
Level 1

‎02-05-2014 12:49 PM - edited ‎03-07-2019 06:01 PM

Good day,

I am starting this thread because we are experiencing a problem with a 'brandnew' cisco ASA 5525x firewall.

I am not sure to post this in the firewalling or the routing LAN threads, because we are not firewalling at the moment but just want to route.

We never configured these firewalls before but since the setup is quite simple, we don't know what is going wrong.

This is getting quite urgent because we need this firewall in production fast.

The type is ASA5525-IPS-K9.

IPS license is not yet installed.

We have simplified our testing setup as in the image bellow (basically this is all we configured, standby firewall was switched off)).

We are firewalling from enterprise dekstops to production servers (no internet involved).

We have set all 'ACLs' open with any to any as much as possible, no blocked traffic is reported in debug mode of the logging.

We have also put all interfaces in the same 'zone' namely 100.

I am not sure if Enterprise IT people have replaced the w2008r2 router by a real router/firewall, but question remains.

problemasa5525.png

Ping request FAILS:

10.240.20.11 to 192.168.0.x

10.240.20.11 to 10.240.29.1 (I guess this is normal firewall behavior)

10.240.20.11 to 10.24.29.2

192.168.0.11 to 10.240.20.2  (I guess this is normal firewall behavior)

192.168.0.11 to 10.240.20.11

(same thing for 10.240.21.11)

Ping request OK:

192.168.0.11 to 10.240.29.1

192.168.0.11 to 10.240.29.2

10.240.20.11 to 10.240.21.11 (routed over the firewall)

We do not see any 'blocked' messages in the logging that is put to debug mode.

If we replace the 'w2008r2 router' by a single laptop with 1 connection and IP 10.240.29.1 GW 10.240.29.2 and connect in the same port, then we are able to ping from 10.240.29.1 to 10.240.20.11 and vice versa.

If we replace the Cisco firewall by a L3 Cisco 3750X with similar routing configuration, we can ping from 10.240.20.11 to the entire 192.168.0.0/23 network and vice versa.

These findings are making us very desperate in finding a solution because the findings do not make sense to me?

Can anyone please give some input on this?

If required I can upload the configuration file here.

Thank you very much in advance,

Best Regards,

Joris

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎02-05-2014 01:33 PM

Edited - duplicate post. Please use the link below to post answers -

https://supportforums.cisco.com/thread/2265530?tstart=0

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card