I am trying to pass traffic between two internal interfaces but am unable to. Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:
On both networks I am able to access the internet, just not traffic between each other.
A packet-tracer reveals the following (it's hitting some weird rules on the way):
cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab827020, priority=1, domain=permit, deny=false
hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
NAT divert to egress interface ct-users
Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad5bec88, priority=12, domain=permit, deny=false
hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab829758, priority=0, domain=inspect-ip-options, deny=true
hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false
hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside any ct-users 10.12.0.0 255.255.0.0
NAT exempt
translate_hits = 2, untranslate_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false
hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
match ip inside 192.168.5.0 255.255.255.0 ct-users any
static translation to 192.168.5.0
translate_hits = 1, untranslate_hits = 15
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadf7a778, priority=5, domain=nat, deny=false
hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255
match udp inside host 192.168.5.2 eq 1514 outside any
static translation to 184.73.2.1/1514
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8e2928, priority=5, domain=host, deny=false
hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.5.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false
hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xada0cd38, priority=5, domain=host, deny=false
hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.12.0.0, mask=255.255.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true
hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 189385494, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ct-users
output-status: up
output-line-status: up
Action: allow
