cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1451
Views
5
Helpful
11
Replies

ASA with routing problem

raza555
Level 3
Level 3

Hi,

Please advise that why I am unable to ping from R3 (DMZ) to R2 (Outside), but able to ping from R1 (Inside) to R2 (Outside) via ASA.

I ahve attached the diagram for clarification.

Below are the configurations from all devices.

R1#sh ip route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

    10.0.0.0/24 is subnetted, 3 subnets

C      10.10.10.0 is directly connected, Loopback1

C      10.10.11.0 is directly connected, Loopback2

C      10.10.12.0 is directly connected, Loopback3

C  192.168.0.0/24 is directly connected, FastEthernet0/0

S*  0.0.0.0/0 [1/0] via 192.168.0.1

R1#

##############################

ciscoasa# sh ip add

System IP Addresses:

Interface              Name                  IP address    Subnet mask    Method

GigabitEthernet0        outside              192.168.100.1  255.255.255.0  manual

GigabitEthernet1        dmz                  192.168.200.1  255.255.255.0  manual

GigabitEthernet2        inside                192.168.0.1    255.255.255.0  manual

Current IP Addresses:

Interface              Name                  IP address    Subnet mask    Method

GigabitEthernet0        outside              192.168.100.1  255.255.255.0  manual

GigabitEthernet1        dmz                  192.168.200.1  255.255.255.0  manual

GigabitEthernet2        inside                192.168.0.1    255.255.255.0  manual

ciscoasa#

ciscoasa(config)# sh run access-list

access-list ALOW-IN->OUT extended permit tcp any any log

access-list ALOW-IN->OUT extended permit icmp any any log

ciscoasa(config)#

ciscoasa# show run access-group

access-group ALOW-IN->OUT in interface outside

ciscoasa#

###############################

R2#show ip route

Gateway of last resort is 192.168.100.1 to network 0.0.0.0

C  192.168.100.0/24 is directly connected, FastEthernet0/0

S*  0.0.0.0/0 [1/0] via 192.168.100.1

R2#

R2#sh ip int br

Interface                IP-Address    OK? Method Status              Protocol

FastEthernet0/0          192.168.100.2  YES manual up                  up

FastEthernet0/1          unassigned    YES unset administratively down down

R2#

##################################

R3#sh ip int br

Interface                IP-Address    OK? Method Status              Protocol

FastEthernet0/0          192.168.200.2  YES manual up                    up

FastEthernet0/1          unassigned    YES unset administratively down down

Loopback1                11.11.11.1    YES manual up                  up

Loopback2                11.11.12.1    YES manual up                  up

Loopback3                11.11.13.1    YES manual up                  up

R3#

R3#sh ip route

Gateway of last resort is 192.168.200.1 to network 0.0.0.0

C  192.168.200.0/24 is directly connected, FastEthernet0/0

    11.0.0.0/24 is subnetted, 3 subnets

C      11.11.11.0 is directly connected, Loopback1

C      11.11.12.0 is directly connected, Loopback2

C      11.11.13.0 is directly connected, Loopback3

S*  0.0.0.0/0 [1/0] via 192.168.200.1

R3#

##########################

2 Accepted Solutions

Accepted Solutions

Hi Rizwan,

Please try to use the following command and then check, since DMZ and outside interface are both on same security level:

same-security-permit traffic inter-interface

- Prateek Verma

View solution in original post

Hi Jon,

1. Yes, you need to configure that command , it doesn't matter if the traffic is allowed in ACL as well.

2. Yes, you could still use ACL to control the traffic flow even if that command is present.

- Prateek Verma

View solution in original post

11 Replies 11

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Can you share the ASA configurations?

What does the "packet-tracer" say about ICMP from "dmz" to "outside"?

packet-tracer input dmz icmp 192.168.200.2 8 0 192.168.100.2

- Jouni

Thanks for reply.

It seems by packet-tracer that packets are droped by implicit rule but I have configured ACL "

access-list ALOW-IN->OUT extended permit icmp any any log

access-group ALOW-IN->OUT in interface outside

I am not understanding that why packet is droping by implicit rule.

#############################

ciscoasa(config)# packet-tracer input dmz icmp 192.168.200.2 0 0 192.168.100.2

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.100.0   255.255.255.0   outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#


########################################
ASA CONFIGURATIONS

#########################################

ciscoasa(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet1
nameif dmz
security-level 0
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network Internal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network Internal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
object network Internal-0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network DMZ-Source-11.11.11.0
subnet 11.11.11.0 255.255.255.0
object network DMZ-Destination-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network DMZ-NAT-192.168.100.202
host 192.168.100.202
object network Inside-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network Inside-NAT-192.168.0.202
host 192.168.0.202
object network Internal-10.10.12.0
subnet 10.10.12.0 255.255.255.0
object network DMZ-0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network DMZ-NAT-192.168.100.205-210
range 192.168.100.205 192.168.100.210
access-list ALOW-IN->OUT extended permit tcp any any log
access-list ALOW-IN->OUT extended permit icmp any any log
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (dmz,outside) source dynamic DMZ-Source-11.11.11.0 DMZ-NAT-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
nat (dmz,inside) source dynamic DMZ-Source-11.11.11.0 Inside-NAT-192.168.0.202 destination static Inside-192.168.0.0 Inside-192.168.0.0
nat (dmz,outside) source dynamic DMZ-NAT-192.168.100.205-210 interface
!
object network Internal-10.10.10.0
nat (inside,outside) dynamic interface
object network Internal-10.10.11.0
nat (inside,outside) dynamic 192.168.100.200
object network Internal-0.0.0.0
nat (inside,outside) dynamic 192.168.100.201
object network Internal-10.10.12.0
nat (inside,dmz) dynamic 30.30.30.1
access-group ALOW-IN->OUT in interface dmz
access-group ALOW-IN->OUT in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
route outside 0.0.0.0 0.0.0.0 192.168.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA

I HAVE DELETED THE CERTIFICATE, SO THAT ITS EASY TO READ THE CONFIG

  quit
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:9973f66e8707194e89f9704a8299bfde
: end
ciscoasa(config)#

Hi Rizwan,

Please try to use the following command and then check, since DMZ and outside interface are both on same security level:

same-security-permit traffic inter-interface

- Prateek Verma

Thanks.

As soon I have configured the "same-security-permit traffic inter-interface", issue resolved.

Thanks for clarifying it. Now I ping from DMZ(security 0) to Outside subnet (Security 0)

Prateek

Just for my own learning if instead of using the "same-security-permit traffic inter-interface" command you added an acl to the DMZ interface allowing the traffic would that have solved the issue as well ?

Jon

Hi Jon,

No that would not allow the traffic , it would still show drop in packet-tracer under ACL drop. If 2  dfferent interfaces are at same security level then you need inter-interface command and if you need to access anything behind same interface and traffic is going through firewall then you would required same-security-traffic permit intra-interface command.

- Prateek Verma

Prateek

Okay, i think i understand it but just to be sure.

If two interfaces are the same security level then no matter what you do in terms of acls traffic will still not flow until you enable the "same-security-permit traffic inter-interface".

When you have added that command if you do have acls applied to the intefaces they are still checked and traffic could still be dropped.

Is the above correct ?

Jon

Hi Jon,

It will not check even the access-rule , the packet would get dropped before checking the access-rule as you could see in the packet-tracer output above, but the drop you would see in packet-tracer would be under ACL drop.

- Prateek Verma

Prateek

Sorry, i didn't explain myself very well. What i meant was that assuming two interfaces have the same security level and the "same-security-traffic permit inter-interface" command was not configured then -

1) it doesn't matter what else you configure in terms of acls etc. traffic still will not flow between those interface. From your responses i am pretty certain this is what you are saying

and

2) if you then enable "same-security-traffic permit inter-interface" which allows traffic between those interfaces can you still control exactly which traffic by using acls on the interfaces ie. are acls still checked with this command enabled.

I just want to make sure i understand it fully as it does not work the way i thought it did.

Jon

Hi Jon,

1. Yes, you need to configure that command , it doesn't matter if the traffic is allowed in ACL as well.

2. Yes, you could still use ACL to control the traffic flow even if that command is present.

- Prateek Verma

Prateek

Many thanks for clearing that up.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: