2 subnets routed by same interface, why I can only ping, nothing else??

Unanswered Question
Jul 5th, 2010

Hi all,

I have 2 subnets, subnet 192.168.0.x and 192.168.2.x, why can I only ping stuff in 192.168.0.x from 192.168.2.x, only ping works, but I do have a any any rule for inside.. btw theres a route on the inside of my router that sends everything to another router on .0.x subnet to reach 192.168.2.x...\\

192.168.2.x subnet is labeled plt btw

ASA Version 8.2(2)

!

hostname ciscoasa

enable password FK8YZWuy5rtfFVxM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.2.0 plt2 description plt2

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.232 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 199.255.29.2 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit tcp any any eq smtp

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any any eq ftp

access-list outside_access_in extended permit tcp any any eq ftp-data

access-list outside_access_in extended permit tcp any any eq 3101

access-list outside_access_in extended permit udp any any eq 3101

access-list outside_access_in extended permit tcp any any eq 9001

access-list outside_access_in extended permit udp any any eq 9001

access-list outside_access_in extended permit udp any any

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any any eq 47

access-list outside_access_in extended permit udp any any eq 47

access-list outside_access_in extended permit gre any any

access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 plt2 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

nat (inside) 0 plt2 255.255.255.0 outside

static (inside,outside) tcp 199.255.29.3 smtp 192.168.0.201 smtp netmask 255.255.255.255

static (inside,outside) tcp 199.255.29.5 https 192.168.0.48 https netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.0.7 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 192.168.0.7 ftp-data netmask 255.255.255.255

static (inside,outside) 199.255.29.4 192.168.0.230 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 199.255.29.1 1

route inside 192.168.1.0 255.255.255.0 192.168.0.233 1

route inside plt2 255.255.255.0 192.168.0.3 1

route inside 192.168.4.0 255.255.255.0 192.168.0.233 1

route inside 192.168.10.0 255.255.255.0 192.168.0.233 1

route inside 192.168.20.0 255.255.254.0 192.168.0.233 1

route inside 195.72.211.0 255.255.255.0 192.168.0.233 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:030652860a76b041899be518e96feb18

: end

ciscoasa#

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 07/05/2010 - 15:39

Dan,

Traffic between 192.168.2.x and 192.168.0.x will not go through the ASA since both networks are inside the ASA (one is direcly connected and the other has a route pointing to the inside interface).

So, if there's a problem with communication between those two networks, I don't think has to do with the ASA.

Anyway, if I'm missing something, please clarify.


Federico.

Hitesh Vinzoda Mon, 07/05/2010 - 22:57

btw theres a route on the inside of my router that sends everything to another router on .0.x subnet to reach 192.168.2.x...\\

If this is the case the traffic from your inside network to 192.168.2.0/24 will not traverse thru ASA, its better if you check the routers and check the traceroute to confirm that traffic is traversing through ASA or not

HTH

Hitesh Vinzoda

Pls rate useful posts

manish arora Tue, 07/06/2010 - 13:23

Hey !

can you please post any syslog messages ?

also issue command "same-security-traffic perit inter-interface".

Logs and network topology would be great

Thanks

Manish

Actions

This Discussion