Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
4
Replies

ASA 5505 issue (8.2 IOS)

The_guroo_2
Level 2
Level 2

‎08-06-2014 02:49 AM - edited ‎03-11-2019 09:35 PM

Guys we have an ASA 5505 which is running 8.2 code

 

we have three vlans 1, 2, 3

 

vlan 1 is inside

vlan 3 is connected to another office  vlan is 172.168.1.1 (same owners) and we have few servers there which are 192.168.1.0/24 (server farm)

 

vlan 1 is 10.0.0.0/24

 

 we can ping the servers from inside to the vlan 3 no issues......but we cant ping or access any thing from 192.X network

the access-list is allowed on vlan 3 ip any as its trusted network....

The routes are in placed as wel i cant figure it out i never worked on 8.2 but there is NAT configured maybe that is the issues. which is as under

 

global (CO_Services) 1 interface  (this is vlan 3)
global (OUTSIDEINTERNET) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0

 

 

Guys can someone please help as i am helpless

 

Thanks

 

Labels:
0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎08-06-2014 03:52 AM

So inside can ping/access CO_Services but CO_Services cannot ping/access inside?

Are you running the security plus license on the ASA? (show version)

If you could do a packet tracer and post the output here

packet-tracer input OC_Services tcp 172.168.1.10 12345 10.0.0.10 80 detail

This should give us an indication of if the ASA is blocking the traffic.

Also, would help to see the full configuration (sanitised) of the 5505.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

The_guroo_2
Level 2
Level 2
In response to Marius Gunnerud

‎08-07-2014 03:28 AM

Hi

 

error...is i gues RFP

 

can you plz advise

 

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 10.0.0.0 255.255.255.0
  match ip inside 10.0.0.0 255.255.255.0 CO_Services any
    dynamic translation to pool 1 (172.168.1.1 [Interface PAT])
    translate_hits = 721, untranslate_hits = 112
Additional Information:
<--- More --->
              

Result:
input-interface: CO_Services
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

The_guroo_2
Level 2
Level 2

‎08-07-2014 03:27 AM

Hi

 

error...is i gues RFP

 

can you plz advise

 

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 10.0.0.0 255.255.255.0
  match ip inside 10.0.0.0 255.255.255.0 CO_Services any
    dynamic translation to pool 1 (172.168.1.1 [Interface PAT])
    translate_hits = 721, untranslate_hits = 112
Additional Information:
<--- More --->
              

Result:
input-interface: CO_Services
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Marius Gunnerud
VIP
VIP
In response to The_guroo_2

‎08-07-2014 03:33 AM

The RFP error means that the source address you configured is not found through the source interface, or that is what it normally means. 

Could you please post the full output of the packet tracer including the packet-tracer command.

Also please posts a full running config (sanitised) of the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card