Routing problems with ASA Firewall (LAN), not with 3750X
I am starting this thread because we are experiencing a problem with a 'brandnew' cisco ASA 5525x firewall.
I am not sure to post this in the firewalling or the routing LAN threads, because we are not firewalling at the moment but just want to route.
We never configured these firewalls before but since the setup is quite simple, we don't know what is going wrong.
This is getting quite urgent because we need this firewall in production fast.
The type is ASA5525-IPS-K9.
IPS license is not yet installed.
We have simplified our testing setup as in the image bellow (basically this is all we configured, standby firewall was switched off)).
We are firewalling from enterprise dekstops to production servers (no internet involved).
We have set all 'ACLs' open with any to any as much as possible, no blocked traffic is reported in debug mode of the logging.
We have also put all interfaces in the same 'zone' namely 100.
I am not sure if Enterprise IT people have replaced the w2008r2 router by a real router/firewall, but question remains.
Ping request FAILS:
10.240.20.11 to 192.168.0.x
10.240.20.11 to 10.240.29.1 (I guess this is normal firewall behavior)
10.240.20.11 to 10.24.29.2
192.168.0.11 to 10.240.20.2 (I guess this is normal firewall behavior)
192.168.0.11 to 10.240.20.11
(same thing for 10.240.21.11)
Ping request OK:
192.168.0.11 to 10.240.29.1
192.168.0.11 to 10.240.29.2
10.240.20.11 to 10.240.21.11 (routed over the firewall)
We do not see any 'blocked' messages in the logging that is put to debug mode.
If we replace the 'w2008r2 router' by a single laptop with 1 connection and IP 10.240.29.1 GW 10.240.29.2 and connect in the same port, then we are able to ping from 10.240.29.1 to 10.240.20.11 and vice versa.
If we replace the Cisco firewall by a L3 Cisco 3750X with similar routing configuration, we can ping from 10.240.20.11 to the entire 192.168.0.0/23 network and vice versa.
These findings are making us very desperate in finding a solution because the findings do not make sense to me?
Can anyone please give some input on this?
If required I can upload the configuration file here.
Hello All, We have Cisco 5545-x & we running SSLVPN anyconnect. when we do tracert 1st hop is showing public of outside interface. we have configure tunnel route toward inside. but when do same think form other firewall it show next hope of ...
Cisco SD-WAN Cloud OnRamp allows you to simplify and secure connectivity to cloud applications and public clouds. Interested in testing out the latest Cisco Cloud OnRamp solutions?
Sign up to try out various use cases with the Cisco SD-WAN Cloud ...
“Use Serviceability Features to Troubleshoot your Cat9K as a Cisco TAC Engineer”
This special event is open only to Cisco Customers and Partners.
Many pages in the Cisco Community are accessible only to Cisco customers, partners, or logged in ...
Cisco Champion Radio · S7|E40 From SD-WAN to SASE: Speed Up and Secure SaaS Internet Apps
The changing global environment has transformed how enterprise users connect to applications. The SASE architecture delivers important networking and securit...
Hi guys,Have a question regarding spanning tree and way its supposed to work when there is a redundant path in fiber daisy-chained switches. Root switch for all vlans is connected via fiber link to the first of the daisy-chained switches. Below is same co...