cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
209
Views
0
Helpful
2
Replies

How can you tell if interrfaces on a ASA 5020 are communicating with each other

Dave Kozlowski
Level 1
Level 1

I have 2 ASA's

One in  production with a DMZ connection to a second one that I am using.(called lab)

From within the LAB ASA I can ping to systems on the lab site and to the  internal interface on the production ASA.

When I am on a Windows server in the lab I cannot get out to the Internet yet my switch is routing all 0.0.0.0 traffic out thru the ASA's.

When I am on the LAB ASA all rules are successful when I click on the Diagram button.

Anyway to  confirm that both ports on the LAB ASA are communicating with each other.

Thanks

DAVE

 

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

I think we would need clarification on the actual network setup to know what the actual problem is but here are some questions and ideas on what to check.

 

  • You mention that there is a switch on the LAB network which connects to the servers that can not access Internet. I presume you then have some L3 switch since you mention it has a default route configured? If you are talking about a "default-gateway" configuration on the switch then that only acts as the gateway for the switch itself and not for any host behind the switch.
  • You say that the LAB ASA can ping the PROD ASA. This might be due to them sharing a directly connected subnet which means that no static routes are required for them to communicate. Now the question is, does the PROD ASA have a static route for the LAB subnet behind LAB ASA? This could be one reason there is no connectivity past the gateway interface on the PROD ASA (the gateway interface towards LAB ASA)
  • Have you confirmed that the PROD ASA has a Dynamic PAT configuration for the LAB subnet so that NAT is performed when the LAB subnets attempts to connect to the Internet? If there is no NAT configured the traffic (if allowed through PROD ASA) then the traffic will go through the ASA withtout NAT and the connection will obviously fail. I would suggest trying "packet-tracer" (either through CLI or ASDM) where you simulate a connection coming from LAB subnet to Internet on the PROD ASA.

 

Easiest way to confirm what is happening with the server connections coming from LAB ASA is to check the ASDM realtime logs on the PROD ASA. Just filter the log to show some IP address from LAB subnet and attempt the connections. You should see if the connection attempt gets blocked by the PROD ASA. You should also see (if the connection is allowed) if a NAT is performed for the source address. Naturally using the "packet-tracer" on the PROD ASA would tell you all the rules applied to the connection right away.

 

But as I said, we really don't have a specific picture of your network at the moment so there might be other problems too.

 

- Jouni

Another tool you can use on the ASA is the packet capture feature.  This will show you if the ASA is seeing both the request and reply traffic on both interface (if you configure it for both interfaces).  this way you can see if traffic is entering the inside interface and leaving the outside interface but you do not see the return traffic and you are permitting the return traffic (in the case of ICMP) then you can assume that the problem isn't with the ASA but most likely a routing issue farther downstream.

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: