Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Basic Cisco ASA5525 routing fails

Good day,

I am starting this thread because we are experiencing a problem with a 'brandnew' cisco ASA 5525x firewall.

We never configured these firewalls before but since the setup is quite simple, we don't know what is going wrong.

This is getting quite urgent because we need this firewall in production fast.

The type is ASA5525-IPS-K9.

IPS license is not yet installed.

We have simplified our testing setup as in the image bellow (basically this is all we configured, standby firewall was switched off)).

We are firewalling from enterprise dekstops to production servers (no internet involved).

We have set all 'ACLs' open with any to any as much as possible, no blocked traffic is reported in debug mode of the logging.

We have also put all interfaces in the same 'zone' namely 100.

I am not sure if Enterprise IT people have replaced the w2008r2 router by a real router/firewall, but question remains.

problemasa5525.png

Ping request FAILS:

10.240.20.11 to 192.168.0.x

10.240.20.11 to 10.240.29.1 (I guess this is normal firewall behavior)

10.240.20.11 to 10.24.29.2

192.168.0.11 to 10.240.20.2  (I guess this is normal firewall behavior)

192.168.0.11 to 10.240.20.11

(same thing for 10.240.21.11)

Ping request OK:

192.168.0.11 to 10.240.29.1

192.168.0.11 to 10.240.29.2

10.240.20.11 to 10.240.21.11 (routed over the firewall)

We do not see any 'blocked' messages in the logging that is put to debug mode.

If we replace the 'w2008r2 router' by a single laptop with 1 connection and IP 10.240.29.1 GW 10.240.29.2 and connect in the same port, then we are able to ping from 10.240.29.1 to 10.240.20.11 and vice versa.

If we replace the Cisco firewall by a L3 Cisco 3750X with similar routing configuration, we can ping from 10.240.20.11 to the entire 192.168.0.0/23 network and vice versa.

These findings are making us very desperate in finding a solution because the findings do not make sense to me?

Can anyone please give some input on this?

If required I can upload the configuration file here.

Thank you very much in advance,

Best Regards,

Joris

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Re: Basic Cisco ASA5525 routing fails

As Jouni has mentioned the packet capture will give us a 100% confirmation that the traffic is passing through the ASA. 

Then, we started a ping from the laptop to the other, so started a ping from 10.240.29.1 to 10.240.10.11, this worked.

After this, the ping from 10.240.10.11 to 10.240.29.1 started succeeding, without any config change ???

OK, I don't see 10.240.10.11 in your diagram further up, though I do see that the ASA has an interface in this subnet.  Are you experiencing this problem from all subnets attached to the ASA?

I am starting to wonder if the 2008r2 router is missing some routes maybe.  Is this a Cisco router? Could you post the router configuration please?

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
19 REPLIES
Super Bronze

Basic Cisco ASA5525 routing fails

Hi,

I think we should start by looking at the ASAs configuration first

- Jouni

New Member

Re: Basic Cisco ASA5525 routing fails

This is the configuration file.

The real IPs we use (not in drawing above) are 10.240.10.11 (instead of 20.11)

Result of the command: "show running-config"

: Saved

:

ASA Version 8.6(1)2

!

hostname FRW

enable password * encrypted

passwd * encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

channel-group 1 mode active

!

interface GigabitEthernet0/2

channel-group 1 mode active

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

description Link to c k voor vpn

nameif LinkTock

security-level 100

ip address 10.240.29.2 255.255.255.0

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.100.2 255.255.255.0

management-only

!

interface GigabitEthernet1/0

description Link to Core Switch

nameif LinkToCore

security-level 100

ip address 10.240.28.2 255.255.255.0

!

interface GigabitEthernet1/1

nameif LinkToDMZ

security-level 100

no ip address

!

interface GigabitEthernet1/1.10

description Vlan for DMZ SQL

vlan 10

nameif Vlan10DMZSQL

security-level 100

ip address 10.240.10.2 255.255.255.0 standby 10.240.10.4

!

interface GigabitEthernet1/1.11

description Link to Vlan 11 DMZ Backup

vlan 11

nameif Vlan11DMZBackup

security-level 100

ip address 10.240.11.2 255.255.255.0 standby 10.240.11.4

!

interface GigabitEthernet1/1.12

description Link to vlan 12 DMZ share

vlan 12

nameif Vlan12DMZShare

security-level 100

ip address 10.240.12.2 255.255.255.0 standby 10.240.12.4

!

interface GigabitEthernet1/1.13

description Link to Vlan 13 DMZ AVI

vlan 13

nameif Vlan13DMZAVI

security-level 100

ip address 10.240.13.2 255.255.255.0 standby 10.240.13.4

!

interface GigabitEthernet1/1.20

description Link to Vlan 20 DMZ ENG

vlan 20

nameif Vlan20DMZENG

security-level 100

ip address 10.240.20.2 255.255.255.0 standby 10.240.20.4

!

interface GigabitEthernet1/1.21

description Link to Vlan 21 DMZ External

vlan 21

nameif Vlan21DMZExternal

security-level 100

ip address 10.240.21.2 255.255.255.0 standby 10.240.21.4

!

interface GigabitEthernet1/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/4

description Link To Enterprise Core Swith 2

nameif LinkToEnterPriseCore2

security-level 0

ip address 10.240.202.2 255.255.255.0

!

interface GigabitEthernet1/5

description Link to Enterprise Core switch 1

nameif LinkToEnterpriseCore1

security-level 0

ip address 10.240.201.2 255.255.255.0

!

interface Port-channel1

description LAN/STATE Failover Interface

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list global_access extended permit ip any any log debugging

access-list global_access extended permit icmp any any log debugging

access-list Vlan20DMZENG_access_in extended permit icmp any any

access-list Vlan20DMZENG_access_in extended permit ip any any

access-list Vlan12DMZShare_access_out extended permit icmp any any

access-list Vlan12DMZShare_access_out extended permit ip any any

access-list LinkToEnterpriseCore1_access_out extended permit icmp any any

access-list LinkToEnterpriseCore1_access_out extended permit ip any any

access-list LinkToDMZ_access_out extended permit ip any any log debugging

access-list LinkToDMZ_access_out extended permit icmp any any log debugging

access-list Vlan11DMZBackup_access_out extended permit icmp any any

access-list Vlan11DMZBackup_access_out extended permit ip any any

access-list LinkToEnterpriseCore1_access_in extended permit icmp any any

access-list LinkToEnterpriseCore1_access_in extended permit ip any any

access-list Vlan20DMZENG_access_out extended permit icmp any any

access-list Vlan20DMZENG_access_out extended permit ip any any

access-list LinkToDMZ_access_in extended permit ip any any log debugging

access-list LinkToDMZ_access_in extended permit icmp any any log debugging

access-list Vlan10DMZSQL_access_out extended permit tcp any any log debugging

access-list Vlan10DMZSQL_access_out extended permit udp any any log debugging

access-list Vlan10DMZSQL_access_out extended permit icmp any any log debugging

access-list Vlan10DMZSQL_access_out extended permit ip any any log debugging

access-list Vlan10DMZSQL_access_out extended deny ip any any inactive

access-list Vlan10DMZSQL_access_out extended deny icmp any any inactive

access-list LinkToCore_access_in extended permit ip any any

access-list LinkToCore_access_in extended permit icmp any any

access-list LinkToEnterPriseCore2_access_out extended permit ip any any

access-list LinkToEnterPriseCore2_access_out extended permit icmp any any

access-list Vlan10DMZSQL_access_in extended permit icmp any any log debugging

access-list Vlan10DMZSQL_access_in extended permit udp any any log debugging

access-list Vlan10DMZSQL_access_in extended permit tcp any any log debugging

access-list Vlan10DMZSQL_access_in extended permit ip any any log debugging

access-list Vlan10DMZSQL_access_in extended deny ip any any inactive

access-list Vlan10DMZSQL_access_in extended deny icmp any any inactive

access-list LinkToEnterPriseCore2_access_in extended permit ip any any

access-list LinkToEnterPriseCore2_access_in extended permit icmp any any

access-list Vlan21DMZExternal_access_out extended permit icmp any any

access-list Vlan21DMZExternal_access_out extended permit ip any any

access-list Vlan12DMZShare_access_in extended permit icmp any any

access-list Vlan12DMZShare_access_in extended permit ip any any

access-list Vlan13DMZAVI_access_in extended permit icmp any any

access-list Vlan13DMZAVI_access_in extended permit ip any any

access-list LinkToCore_access_out extended permit ip any any

access-list LinkToCore_access_out extended permit icmp any any

access-list Vlan21DMZExternal_access_in extended permit icmp any any

access-list Vlan21DMZExternal_access_in extended permit ip any any

access-list Vlan11DMZBackup_access_in extended permit icmp any any

access-list Vlan11DMZBackup_access_in extended permit ip any any

access-list Vlan13DMZAVI_access_out extended permit icmp any any

access-list Vlan13DMZAVI_access_out extended permit ip any any

access-list LinkTock_access_out extended permit tcp any any log debugging

access-list LinkTock_access_out extended permit udp any any log debugging

access-list LinkTock_access_out extended permit icmp any any log debugging

access-list LinkTock_access_out extended permit ip any any log debugging

access-list LinkTock_access_in extended permit udp any any log debugging

access-list LinkTock_access_in extended permit tcp any any log debugging

access-list LinkTock_access_in extended permit icmp any any log debugging

access-list LinkTock_access_in extended permit ip any any log debugging

pager lines 24

logging enable

logging asdm informational

mtu LinkTock 1500

mtu management 1500

mtu LinkToCore 1500

mtu LinkToDMZ 1500

mtu Vlan10DMZSQL 1500

mtu Vlan11DMZBackup 1500

mtu Vlan12DMZShare 1500

mtu Vlan13DMZAVI 1500

mtu Vlan20DMZENG 1500

mtu Vlan21DMZExternal 1500

mtu LinkToEnterPriseCore2 1500

mtu LinkToEnterpriseCore1 1500

failover

failover lan unit primary

failover lan interface failover Port-channel1

failover link failover Port-channel1

failover interface ip failover 10.240.100.1 255.255.255.0 standby 10.240.100.2

no monitor-interface LinkTock

no monitor-interface management

monitor-interface Vlan10DMZSQL

monitor-interface Vlan11DMZBackup

monitor-interface Vlan12DMZShare

monitor-interface Vlan13DMZAVI

monitor-interface Vlan20DMZENG

monitor-interface Vlan21DMZExternal

no monitor-interface LinkToEnterPriseCore2

no monitor-interface LinkToEnterpriseCore1

icmp unreachable rate-limit 1 burst-size 1

icmp permit any LinkTock

icmp permit any management

icmp permit any LinkToCore

icmp permit any LinkToDMZ

icmp permit any Vlan10DMZSQL

icmp permit any Vlan11DMZBackup

icmp permit any Vlan12DMZShare

icmp permit any Vlan13DMZAVI

icmp permit any Vlan20DMZENG

icmp permit any Vlan21DMZExternal

icmp permit any LinkToEnterPriseCore2

icmp permit any LinkToEnterpriseCore1

no asdm history enable

arp timeout 14400

access-group LinkTock_access_in in interface LinkTock

access-group LinkTock_access_out out interface LinkTock

access-group LinkToCore_access_in in interface LinkToCore

access-group LinkToCore_access_out out interface LinkToCore

access-group LinkToDMZ_access_in in interface LinkToDMZ

access-group LinkToDMZ_access_out out interface LinkToDMZ

access-group Vlan10DMZSQL_access_in in interface Vlan10DMZSQL

access-group Vlan10DMZSQL_access_out out interface Vlan10DMZSQL

access-group Vlan11DMZBackup_access_in in interface Vlan11DMZBackup

access-group Vlan11DMZBackup_access_out out interface Vlan11DMZBackup

access-group Vlan12DMZShare_access_in in interface Vlan12DMZShare

access-group Vlan12DMZShare_access_out out interface Vlan12DMZShare

access-group Vlan13DMZAVI_access_in in interface Vlan13DMZAVI

access-group Vlan13DMZAVI_access_out out interface Vlan13DMZAVI

access-group Vlan20DMZENG_access_in in interface Vlan20DMZENG

access-group Vlan20DMZENG_access_out out interface Vlan20DMZENG

access-group Vlan21DMZExternal_access_in in interface Vlan21DMZExternal

access-group Vlan21DMZExternal_access_out out interface Vlan21DMZExternal

access-group LinkToEnterPriseCore2_access_in in interface LinkToEnterPriseCore2

access-group LinkToEnterPriseCore2_access_out out interface LinkToEnterPriseCore2

access-group LinkToEnterpriseCore1_access_in in interface LinkToEnterpriseCore1

access-group LinkToEnterpriseCore1_access_out out interface LinkToEnterpriseCore1

access-group global_access global

route LinkTock 0.0.0.0 0.0.0.0 10.240.29.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no user-identity enable

user-identity default-domain LOCAL

http server enable

http 10.240.20.0 255.255.255.0 Vlan20DMZENG

http 10.240.32.0 255.255.255.0 LinkToCore

http 10.240.29.0 255.255.255.0 LinkTock

http 192.168.100.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection tcpmss 0

telnet 10.240.29.0 255.255.255.0 LinkTock

telnet 192.168.100.0 255.255.255.0 management

telnet 10.240.32.0 255.255.255.0 LinkToCore

telnet 10.240.20.0 255.255.255.0 Vlan20DMZENG

telnet timeout 5

ssh timeout 5

console timeout 0

no threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:*

: end

New Member

Re: Basic Cisco ASA5525 routing fails

We have done a test by replacing the w2008r2 router by a 'normal' virtual machine with IP 10.240.29.1 and gateway 10.240.29.2.

This did not work (no pings possible, vmware uses a standard virtual switch on the ethernet port).

When we plugged in a laptop with the same settings, it worked.

When we plugged the laptop in a managed 2960x switch and connected that to the firewall, it worked.

If we used another laptop in that switch, with different MAC, same ip settings, it worked.

When we tried the orgininal laptop again using the switch, it failed!

2nd laptop via switch... worked.

Orginal laptop directly... worked.

Orginal laptop via switch... fails.

2nd laptop via switch... works.

reboot 1st laptop, keep in switch, keeps failing.

put in firewall, works again.

Put in switch, works again.

Has this to do with MAC address security somewhere?

Or with settings on the laptops?

Can this cause the problem? This is getting really strange.

VIP Green

Re: Basic Cisco ASA5525 routing fails

Do you have port security configured on the switch?  Would help to see the config of the switch that the PC is connected to when it fails.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
VIP Green

Re: Basic Cisco ASA5525 routing fails

Could you also post the switch configuration please.

First off, I am curious as to why you have outgoing ACLs configured on each interface?  This is not needed, and are very seldom used.  I would suggest removing them.

Could you please issue the following command and post back the results.

packet-tracer input Vlan20DMZENG tcp 10.240.20.11 12345 10.240.29.1 80

packet-tracer input LinkTock tcp 10.240.29.1 12345 10.240.20.11 80

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
VIP Green

Re: Basic Cisco ASA5525 routing fails

Also from the ASA are you able to ping 10.240.29.1?

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Re: Basic Cisco ASA5525 routing fails

I can ping the 10.240.29.1 from the ASA (telnet).

I can even ping the 192.168.0.0/23 from the ASA.

Thank you for your anser I will try your suggestion immediately.

I have also done some updates on my latest post.

Super Bronze

Basic Cisco ASA5525 routing fails

Hi,

The configuration seems pretty basic as all the source networks behind this firewall are directly connected and only the default route is needed towards the router in front of the ASA.

Just incase I would suggest adding this as you seem to lack it

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect icmp

  inspect icmp error

service-policy global_policy global

And as Marius said, "out" / outbound ACLs aren't really not needed they just add complexity. In your case you also have a Global ACL that I tend not to use at all.

The "packet-tracer" command should pretty much tell you if there is a problem on the ASA but on a quick look it seems you are permitting traffic in any possible direction. You have also enabled traffic from same "security-level" interfaces and you are not performing any NAT on any of the networks.

So I am not sure what the ASA would be doing if it was blocking some traffic.

You could for example capture ICMP traffic on the "external" interface of the firewall and see if any of the hosts traffic is getting through the firewall and if they receive a reply

For example

access-list ICMP-CAP permit icmp 192.168.0.0 255.255.254.0

access-list ICMP-CAP permit icmp 192.168.0.0 255.255.254.0

capture ICMP-CAP type raw-data access-list ICMP-CAP interface LinkTock buffer 10000000 circular-buffer

In the place of use the network/subnet address of the subnet from which you are trying to ping the network 192.168.0.0/23

You could then use the following command to check if anything is captured after using ICMP

show capture

You can show the actual contents of the capture with the command

show capture ICMP-CAP

You can copy the capture to your computer so you can view it with Wireshark for example with the command

copy /pcap capture:ICMP-CAP tftp://x.x.x.x/ICMP-CAP.pcap

You can remove the capture and the captured data with the command

no capture ICMP-CAP

You will have to remove the ACL separately

Hope this helps

- Jouni

New Member

Re: Basic Cisco ASA5525 routing fails

OK I ran your commands while the firewall was connected to the failing "w2008r2 router" virtual machine.

While running this script, a ping from 10.240.10.11 was running to 10.240.29.1, which kept failing.


User Access Verification

Password:
Type help or '?' for a list of available commands.
ftw01> enable 15
Password: *************
ftw01# packet-tracer input vlan10dmzsql tcp 10.240.10.11 12345 10.240.29.1 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.240.29.0     255.255.255.0   LinkTock

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Vlan10DMZSQL_access_in in interface Vlan10DMZSQL
access-list Vlan10DMZSQL_access_in extended permit tcp any any log debugging
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10036, packet dispatched to next module

Result:
input-interface: Vlan10DMZSQL
input-status: up
input-line-status: up
output-interface: LinkTock
output-status: up
output-line-status: up
Action: allow

ftw01# packet-tracer input LinkTock tcp 10.240.29.1 12345 10.24$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.240.10.0     255.255.255.0   Vlan10DMZSQL

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LinkTock_access_in in interface LinkTock
access-list LinkTock_access_in extended permit tcp any any log debug
ging
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10075, packet dispatched to next module

Result:
input-interface: LinkTock
input-status: up
input-line-status: up
output-interface: Vlan10DMZSQL
output-status: up
output-line-status: up
Action: allow

User Access Verification

Password:
Type help or '?' for a list of available commands.
ftw01> enable 15
Password: *************
ftw01# packet-tracer input vlan10dmzsql tcp 10.240.10.11 12345 10.240.29.1 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.240.29.0     255.255.255.0   LinkTock

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Vlan10DMZSQL_access_in in interface Vlan10DMZSQL
access-list Vlan10DMZSQL_access_in extended permit tcp any any log debugging
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10036, packet dispatched to next module

Result:
input-interface: Vlan10DMZSQL
input-status: up
input-line-status: up
output-interface: LinkTock
output-status: up
output-line-status: up
Action: allow

ftw01# packet-tracer input LinkTock tcp 10.240.29.1 12345 10.24$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.240.10.0     255.255.255.0   Vlan10DMZSQL

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LinkTock_access_in in interface LinkTock
access-list LinkTock_access_in extended permit tcp any any log debug
ging
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10075, packet dispatched to next module

Result:
input-interface: LinkTock
input-status: up
input-line-status: up
output-interface: Vlan10DMZSQL
output-status: up
output-line-status: up
Action: allow

VIP Green

Re: Basic Cisco ASA5525 routing fails

From the output of the packet tracer. traffic is allowed through the ASA, atleast on port 80. But since you have permit IP any any everywhere we can safely assume ICMP is also permitted.

I would start looking closer at the switch or even the PC you are testing from that is failing for the problem.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Re: Basic Cisco ASA5525 routing fails

We added the laptop (10.240.29.1 GW 10.240.29.2) to the switch, and were in a failing configuration (we could not ping from 10.240.10.11 to 10.240.29.1)

Then, we started a ping from the laptop to the other, so started a ping from 10.240.29.1 to 10.240.10.11, this worked.

After this, the ping from 10.240.10.11 to 10.240.29.1 started succeeding, without any config change ???

Does this sound like ARP problems?

Thanks for your input we are really using this.

The switch has no security-port settings.

VIP Green

Re: Basic Cisco ASA5525 routing fails

I think this might have been an ARP issue.  Has the IP you are testing from been associated with another PC recently?

-- Please remember to rate and select a correct answer
New Member

Re: Basic Cisco ASA5525 routing fails

Hello,

"Has the IP you are testing from been associated with another PC recently?"

Actually we are constantly changing the 10.240.29.1 and 10.240.29.2 'hosts'.

In the initial setup, the .2 is on a 3750X and the .1 is on the w2008router, no problems.

In the 'new' setup, the .2 is on the firezall and the .1 is on the w2008router, problems.

If we set the .1 on a laptop it will work, but when we start changing the laptop and using a switch between, it starts failing again.

VIP Green

Re: Basic Cisco ASA5525 routing fails

try issuing a clear arp on the ASA

and clear ip arp (or you might have to go as far as issuing a clear arp-cache) on the switch and router

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Re: Basic Cisco ASA5525 routing fails

We have done the ARP resetting and all mac addresses seemed to be fine after.

Still our uplink to the 2008r2 router does not work while everything seems OK.

This is really worrying me.

But thanks for the input..

Super Bronze

Basic Cisco ASA5525 routing fails

Hi,

I would still suggest as an easy way to confirm the section from LAN/DMZ host to the firewall external interface with the ICMP capture (or whatever traffic you want to capture, the capture can be modified to pretty much any setup needed).

With the capture you could confirm if

  • The ICMP Echo from the LAN host has come to the firewall
  • The ICMP Echo from the LAN host has passed through the firewall and being forwarded to the nexthop device
  • The ICMP Echo has received Echo Reply from the remote network 192.168.0.0/24

This way you would probably be able to narrow down the problem to a certain section without constantly changing the network setup that might give false results if the ARP doesnt happen to refresh to the current test setup.

Your original setup seemed to point to a situation that you were able to ICMP from the ASA directly to the remote network 192.168.0.0/23 but not from behind the ASA?

- Jouni

New Member

Re: Basic Cisco ASA5525 routing fails

This thread is about ARP problems with ASA switches could this be related?

It is quite technical to me.

(edited post above)

https://supportforums.cisco.com/thread/2133340

VIP Green

Re: Basic Cisco ASA5525 routing fails

As Jouni has mentioned the packet capture will give us a 100% confirmation that the traffic is passing through the ASA. 

Then, we started a ping from the laptop to the other, so started a ping from 10.240.29.1 to 10.240.10.11, this worked.

After this, the ping from 10.240.10.11 to 10.240.29.1 started succeeding, without any config change ???

OK, I don't see 10.240.10.11 in your diagram further up, though I do see that the ASA has an interface in this subnet.  Are you experiencing this problem from all subnets attached to the ASA?

I am starting to wonder if the 2008r2 router is missing some routes maybe.  Is this a Cisco router? Could you post the router configuration please?

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Basic Cisco ASA5525 routing fails

Hello,

First of all , thank you all for the responses and tips.

The 2008r2 router is not a Cisco router, it is a Windows Server 2008 R2 virtual machine that has 2 NIC's, and has the "LAN Routing" role activated. It has static routes that seemed OK.

We solved the problem by leaving out this 2008r2 "router" and by giving the firewall 1 IP address in the Enterprise LAN 192.168.1.17. We then configured the enterprise router (which is a real router) to route the 10.240.0.0 traffic to the 192.168.1.17 and everything worked fine. I think the problem was caused by the "Windows Router" that was linked to the firewall, but we are unsure why this was. In the end, it doesn't matter because after integration the firewall will be connected to a 'real' router and not a Windows Server routed machine.

Thank you

294
Views
0
Helpful
19
Replies