Routing problem with ASA5520

Unanswered Question
Feb 13th, 2009
User Badges:

Hi


I am having issues with routing on 2 ASA 5520 and wondering if anyone can help.


Attached is some of the running config.


The setup is basically 2 asa 5520s running in a active/active configuration.


3 out of the four interfaces are used and one for failover between each box.


I have an interface dedicated to each zone as such:


Core (inside) 10.1.0.0

DMZ 10.8.0.0

Outside 11.1.0.0


Now I have been trying to enable routing between the inside interface and the DMZ, and vice versa.


For example I would like a host in the inside zone to be able to ping a host in the DMZ.


I have added exception for ICMP and also allow it both ways. To which it doesn't appear to work, also tried the same but for a host inside to connect to a web server in the dmz.


Everytime I run the packet trace wizard in the ASDM it is almost like the ACL rules and not being picked up and am told that the implicit deny is causing the packet to be dropped?


I have tried many combinations of nat exemptions and acl rules


Any ideas?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Fri, 02/13/2009 - 08:13
User Badges:
  • Silver, 250 points or more

Why do you have 3 ACL's applied to the inside interface and 2 applied to the DMZ?


access-group Core_access_in_1 in interface Core control-plane

access-group outside-in-acl in interface Core

access-group Core_access_out out interface Core

access-group outside-in-acl in interface DMZ

access-group DMZ_access_out out interface DMZ

asecisco1 Fri, 02/13/2009 - 08:16
User Badges:

I believe the ASDM created them the first time I used it.

asecisco1 Mon, 02/16/2009 - 00:48
User Badges:

I have added a nat exmeption rule and tried specifying both explicit source and destinations ip addresses of the hosts as well as any any but still doesn't seem to route.

JamesLuther Mon, 02/16/2009 - 04:51
User Badges:
  • Silver, 250 points or more

Hello,


I belive the problem is with ACL "outside-in-acl". This has been applied to both the DMZ and Core interfaces. So you need to allow icmp echo and icmp echo-reply on this ACL ie


access-list outside-in-acl extended permit icmp any any echo

access-list outside-in-acl extended permit icmp any any echo-reply


Please try adding and let us know the result.



Regards

asecisco1 Mon, 02/16/2009 - 06:10
User Badges:

Hi


I've tried to add that rule to any and all access-lists just in case and still get the same result.


If I used the built in packet inspection tool it seems that the implicit deny deny is causing the packet to be dropped.


I have also tried to follow the information on http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml


and still seem to end up with the same result.


Have you got any other sugesstions you could help with?

Actions

This Discussion