07-05-2010 01:37 PM - edited 03-04-2019 08:58 AM
Hi all,
I have 2 subnets, subnet 192.168.0.x and 192.168.2.x, why can I only ping stuff in 192.168.0.x from 192.168.2.x, only ping works, but I do have a any any rule for inside.. btw theres a route on the inside of my router that sends everything to another router on .0.x subnet to reach 192.168.2.x...\\
192.168.2.x subnet is labeled plt btw
ASA Version 8.2(2)
!
hostname ciscoasa
enable password FK8YZWuy5rtfFVxM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 plt2 description plt2
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.232 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 199.255.29.2 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq ftp-data
access-list outside_access_in extended permit tcp any any eq 3101
access-list outside_access_in extended permit udp any any eq 3101
access-list outside_access_in extended permit tcp any any eq 9001
access-list outside_access_in extended permit udp any any eq 9001
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq 47
access-list outside_access_in extended permit udp any any eq 47
access-list outside_access_in extended permit gre any any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 plt2 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
nat (inside) 0 plt2 255.255.255.0 outside
static (inside,outside) tcp 199.255.29.3 smtp 192.168.0.201 smtp netmask 255.255.255.255
static (inside,outside) tcp 199.255.29.5 https 192.168.0.48 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.0.7 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.0.7 ftp-data netmask 255.255.255.255
static (inside,outside) 199.255.29.4 192.168.0.230 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 199.255.29.1 1
route inside 192.168.1.0 255.255.255.0 192.168.0.233 1
route inside plt2 255.255.255.0 192.168.0.3 1
route inside 192.168.4.0 255.255.255.0 192.168.0.233 1
route inside 192.168.10.0 255.255.255.0 192.168.0.233 1
route inside 192.168.20.0 255.255.254.0 192.168.0.233 1
route inside 195.72.211.0 255.255.255.0 192.168.0.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:030652860a76b041899be518e96feb18
: end
ciscoasa#
07-05-2010 03:39 PM
Dan,
Traffic between 192.168.2.x and 192.168.0.x will not go through the ASA since both networks are inside the ASA (one is direcly connected and the other has a route pointing to the inside interface).
So, if there's a problem with communication between those two networks, I don't think has to do with the ASA.
Anyway, if I'm missing something, please clarify.
Federico.
07-06-2010 12:36 PM
Ill do a traceroute and check it out.
Thanks
07-05-2010 10:57 PM
btw theres a route on the inside of my router that sends everything to another router on .0.x subnet to reach 192.168.2.x...\\
If this is the case the traffic from your inside network to 192.168.2.0/24 will not traverse thru ASA, its better if you check the routers and check the traceroute to confirm that traffic is traversing through ASA or not
HTH
Hitesh Vinzoda
Pls rate useful posts
07-06-2010 01:23 PM
Hey !
can you please post any syslog messages ?
also issue command "same-security-traffic perit inter-interface".
Logs and network topology would be great
Thanks
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide