Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Need fluid traffic between two same security level interfaces

Dear Sirs I am configuring an ASA5510 before implementing it on my network. I have 1 ISP for internet connected to Outside Interface, a DMZ Interfaces and 2 inside interfaces. One of these inside interfaces is Outside1 will be connected to a router that will have Fiber and Antenas for communicating with our small offices. I need fluid traffic between Inside an Outside1. I tried using some advices but still not working. Here's my configuration. Can you help me?

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address X.X.X.X y.y.y.y

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.x.x..163 eq smtp

access-list 100 extended permit udp any host x.x.x.163 eq domain

access-list 100 extended permit tcp any host x.x.x.163 eq https

access-list 100 extended permit tcp any host x.x.x.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.100.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (DMZ,Outside) x.x.x.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.x.x.161 1

route Outside1 172.1.1.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.100.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b5e4725e47eea02221510b282e9e5843

: end

Thanks in advanced

Eduardo Guerra

1 ACCEPTED SOLUTION

Accepted Solutions

Need fluid traffic between two same security level interfaces

Can you post the results of this command?

packet-tracer input inside tcp 192.168.100.5 9823 192.168.2.10 80 detail

and

packet-tracer input Outside1 tcp 192.168.2.10 9823 192.168.100.5 80 detail

25 REPLIES

Need fluid traffic between two same security level interfaces

So is there no communications from inside to outside1?

New Member

Need fluid traffic between two same security level interfaces

Yes, there is no communication. I tried pinging from a computer connected to Inside to computer connected to Outside1 and viceversa, also i tried to access shared resources from each computer with negative results

EG

New Member

Need fluid traffic between two same security level interfaces

Hi,

Try to use the following command"

same-security-traffic permit inter-interface

- Prateek Verma

Need fluid traffic between two same security level interfaces

Can you post the results of this command?

packet-tracer input inside tcp 192.168.100.5 9823 192.168.2.10 80 detail

and

packet-tracer input Outside1 tcp 192.168.2.10 9823 192.168.100.5 80 detail

New Member

Need fluid traffic between two same security level interfaces

Here are the results:

packet-tracer input inside tcp 192.168.100.5 9823 192.168.2.10 80 detail     (Last 2 Phases)

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

  match ip Inside 192.168.100.0 255.255.255.0 DMZ any

    static translation to 192.168.100.0

    translate_hits = 0, untranslate_hits = 471

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab9355d0, priority=5, domain=host, deny=false

        hits=1611, user_data=0xab934f90, cs_id=0x0, reverse, flags=0x0, protocol

=0

        src ip=192.168.100.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (Inside) 101 0.0.0.0 0.0.0.0

  match ip Inside any Outside1 any

    dynamic translation to pool 101 (No matching global)

    translate_hits = 94, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab9309e8, priority=1, domain=nat, deny=false

        hits=93, user_data=0xabeffa80, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

packet-tracer input Outside1 tcp 192.168.2.10 9823 192.168.100.5 80 detail      (Last 2 Phases)

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f6198, priority=0, domain=permit-ip-option, deny=true

        hits=776, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

  match ip Outside1 any Inside any

    dynamic translation to pool 101 (No matching global)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac0c13f8, priority=1, domain=nat, deny=false

        hits=0, user_data=0xac0c1338, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside1

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Also i added this command:

nat (Outside1) 101 0.0.0.0 0.0.0.0

EG

New Member

Need fluid traffic between two same security level interfaces

Hi,

Try to put in following commands:

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

- Prateek Verma

New Member

Need fluid traffic between two same security level interfaces

Dear Prateek, configurationo is like this and i can connect between interfaces but i cant access to network 172.1.1.0 that is connected to another router that is connected to interface Outside1. Any suggestion for this?

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 200.87.200.162 255.255.255.248

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host 200.87.226.163 eq smtp

access-list 100 extended permit udp any host 200.87.226.163 eq domain

access-list 100 extended permit tcp any host 200.87.226.163 eq https

access-list 100 extended permit tcp any host 200.87.226.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 200.87.200.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 200.87.200.161 1

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:6dfac383495fa18bde8783c7d47c3d81

: end

Thanks in advanced

EG

Need fluid traffic between two same security level interfaces

What happens if you increase the routing distance for the default route, e.g.

  route Outside 0.0.0.0 0.0.0.0 200.87.200.161 20

-- Jim Leinweber, WI State Lab of Hygiene

New Member

Need fluid traffic between two same security level interfaces

Default route is for internet use. Another static route is for connecting headquater with another offices

EG

New Member

Need fluid traffic between two same security level interfaces

I've modified route like James told but no changes. I run a this packet tracer and result is this

Packet Tracer:

packet-tracer input inside tcp 192.168.0.5 9823 172.1.1.10 80 detail

Result:

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.1.1.0       255.255.255.0   Outside1

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab8755c8, priority=2, domain=permit, deny=false

        hits=175, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab877570, priority=0, domain=permit-ip-option, deny=true

        hits=299, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

  match ip Inside 192.168.0.0 255.255.255.0 Outside1 any

    static translation to 192.168.0.0

    translate_hits = 179, untranslate_hits = 18292

Additional Information:

Static translate 192.168.0.0/0 to 192.168.0.0/0 using netmask 255.255.255.0

Forward Flow based lookup yields rule:

in  id=0xab94c948, priority=5, domain=nat, deny=false

        hits=175, user_data=0xab94c0a0, cs_id=0x0, flags=0x0, protocol=0

        src ip=192.168.0.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

  match ip Inside 192.168.0.0 255.255.255.0 DMZ any

    static translation to 192.168.0.0

    translate_hits = 0, untranslate_hits = 11

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab811c80, priority=5, domain=host, deny=false

        hits=18742, user_data=0xab8d1270, cs_id=0x0, reverse, flags=0x0, protoco

l=0

        src ip=192.168.0.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

  match ip Outside1 any Inside any

    dynamic translation to pool 101 (No matching global)

    translate_hits = 309, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0xab93f558, priority=1, domain=nat-reverse, deny=false

        hits=74, user_data=0xab93f2e8, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas for solving this route issue?

EG

Need fluid traffic between two same security level interfaces

There is no NAT so it's failing.

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

  match ip Outside1 any Inside any

    dynamic translation to pool 101 (No matching global)

Have you tried Prateek's commands?

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Prateek's commands are one way to fix it.

You could also try-

global (Inside) 102 interface

nat (Outside1) 102 0 0

New Member

Need fluid traffic between two same security level interfaces

Dear Collin, do these lines:

global (Inside) 102 interface

nat (Outside1) 102 0 0

will not restrict traffic to the internet by interface Outside?

EG

Need fluid traffic between two same security level interfaces

Those lines will nat traffic from Outside1 to the Inside using the IP assigned to the Inside interface.

New Member

Need fluid traffic between two same security level interfaces

Collin, Here's my network diagram. I need to use static routes from Lan to 172.1.x.x to communicate other offices with headquater LAN (I need NAT no PAT as you suggested answer before). Also i need to communicate branch offices with email server. Actually the service router i am using to connect branch offices is Cisco RV016 but in the near future it will be ISR G2 Cisco 892

If you need some more explanation to solve routing issue, please tell. also here's the up to date configuration

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.162 255.255.255.248

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.x.x.163 eq smtp

access-list 100 extended permit udp any host x.x.x.163 eq domain

access-list 100 extended permit tcp any host x.x.x.163 eq https

access-list 100 extended permit tcp any host x.x.x.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 200.87.200.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.x.x.161 20

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3235bd0aa15e755b360cd2fb30b227ef

: end

EG

Need fluid traffic between two same security level interfaces

So the satelitte offices connect to Inside to access ERP, voice, video, etc and you do not want them to NAT? They also need to get out to the internet through your firewall for email correct?

New Member

Need fluid traffic between two same security level interfaces

Yes, you are right

Also email must be able for LAN users, and branch offices users. I have communication between Inside and DMZ (Email server is on DMZ) so LAN users can connect to email.

EG

Need fluid traffic between two same security level interfaces

Try-

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (outside1,DMZ) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

New Member

Need fluid traffic between two same security level interfaces

Dear Collin, those lines are already inserted in the conf. I cannot reach anyway network 172.1.x.x even if i have static route to that network (i have point that network 172.1.x.x is connected to a router that is connected to interface Outside1). Do i have to insert an ACL or what should i do to reach that network

EG

Need fluid traffic between two same security level interfaces

From the router in the diagram can you access anything in the Inside or DMZ?

New Member

Need fluid traffic between two same security level interfaces

Collin, I tried to connect to a computer within the network connected to Inside but cannot communicate didn't try to DMZ but i will try

EG

New Member

Need fluid traffic between two same security level interfaces

Any suggestions?

Need fluid traffic between two same security level interfaces

Are you positive that all the routing is in place?

On the ASA debug ICMP

logging enable

logging buffered 7

debug icmp trace

Then from the router or beyond, try and ping a resource in the ASA LAN side. The ping may fail, but do a show logg on the ASA and you should see some icmp debug traffic. Please post that debug.

New Member

Need fluid traffic between two same security level interfaces

Collin, answering to this Q:

"From the router in the diagram can you access anything in the Inside or DMZ?", posted by you. I can access to Inside from the router.

I will try

ICMP debug as you adviced

EG

New Member

Need fluid traffic between two same security level interfaces

Dear Collin, this is the logg:

%ASA-4-411001: Line protocol on Interface Ethernet0/3, changed state to up

%ASA-4-411001: Line protocol on Interface Inside, changed state to up

%ASA-7-711002: Task ran for 18 msec, Process = NIC status poll, PC = 88e0c93, Tr

aceback =

%ASA-7-711002: Task ran for 18 msec, Process = NIC status poll, PC = 88e0c93, Tr

aceback =   0x088E0C93  0x08062413

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-6-302010: 0 in use, 25 most used

%ASA-5-111007: Begin configuration: console reading from terminal

%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.

%ASA-5-111008: User 'enable_15' executed the 'logging enable' command.

%ASA-5-111008: User 'enable_15' executed the 'logging buffered 7' command.

%ASA-5-111008: User 'enable_15' executed the 'debug icmp trace' command.

%ASA-5-111005: console end configuration: OK

%ASA-5-111001: Begin configuration: console writing to memory

%ASA-5-111004: console end configuration: OK

%ASA-5-111008: User 'enable_15' executed the 'write' command.

%ASA-7-111009: User 'enable_15' executed cmd: show running-config

ASAFCHFW# ICMP echo request from 192.168.0.20 to 192.168.0.1 ID=768 seq=1792 len

=32

ICMP echo reply from 192.168.0.1 to 192.168.0.20 ID=768 seq=1792 len=32

ICMP echo request from 192.168.0.20 to 192.168.0.1 ID=768 seq=2048 len=32

ICMP echo reply from 192.168.0.1 to 192.168.0.20 ID=768 seq=2048 len=32

ICMP echo request from 192.168.0.20 to 192.168.0.1 ID=768 seq=2304 len=32

ICMP echo reply from 192.168.0.1 to 192.168.0.20 ID=768 seq=2304 len=32

ICMP echo request from 192.168.0.20 to 192.168.0.1 ID=768 seq=2560 len=32

ICMP echo reply from 192.168.0.1 to 192.168.0.20 ID=768 seq=2560 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=2

816 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=281

6 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=3

072 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=307

2 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=3

328 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=332

8 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=3

584 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=358

4 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=3

840 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=384

0 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=4

096 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=409

6 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=4

352 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=435

2 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=4

608 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=460

8 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=4

864 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=486

4 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=5

120 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=512

0 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=5

376 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=537

6 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=5

632 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=563

2 len=32

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=13568 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=14080 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=14848 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=15360 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=15872 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=16384 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=17152 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=17920 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=18688 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=19456 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=20224 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=20992 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=21760 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=22528 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=23296 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=24064 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=24832 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=25600 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=26368 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=27136 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=27904 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=28672 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=29440 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=30208 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=30976 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=31744 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=32512 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=33280 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=34048 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=34816 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=35584 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=36352 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=37120 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=37888 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=38656 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=39424 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=40192 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=40960 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=41728 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=42496 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=43264 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=44032 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=44800 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

Any suggestions?

New Member

Need fluid traffic between two same security level interfaces

So sorry, after show logg, this result

ASAFCHFW# ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=4359 len=3

2

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

sh logg

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: level debugging, 2470 messages logged

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 456484 messages logged

192.168.0.1/0 laddr 192.168.0.1/0

%ASA-3-313001: Denied ICMP type=8, code=0 from 172.1.1.20 on interface Inside

%ASA-6-302021: Teardown ICMP connection for faddr 172.1.1.20/768 gaddr 192.168.0

.1/0 laddr 192.168.0.1/0

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:02

%ASA-7-609002: Teardown local-host identity:192.168.0.1 duration 0:00:02

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.20

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.20 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

%ASA-7-609002: Teardown local-host Outside1:192.168.2.20 duration 0:00:00

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host identity:192.168.0.1

<--- More --->ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=5127 l

en=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=5639 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=6663 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=7175 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=7943 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

%tion 0:00:02

%ASA-7-609002: Teardown local-host identity:192.168.0.1 duration 0:00:02

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.20

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.20 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

%ASA-7-609002: Teardown local-host Outside1:192.168.2.20 duration 0:00:00

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host identity:192.168.0.1

%ASA-6-302020: Built inbound ICMP connection for faddr 172.1.1.20/768 gaddr 192.

168.0.1/0 laddr 192.168.0.1/0

%ASA-7-609001: Built local-host Outside1:192.168.2.22

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.22 (type 8, code 0)

%ASA-7-609002: Teardown local-host Outside1:192.168.2.22 duration 0:00:00

%ASA-3-313001: Denied ICMP type=8, code=0 from 172.1.1.20 on interface Inside

168.0.1/0 laddr 192.168.0.1/0

%ASA-3-313001: Denied ICMP type=8, code=0 from 172.1.1.20 on interface Inside

%ASA-7-609001: Built local-host Outside1:192.168.2.22

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.22 (type 8, code 0)

%ASA-7-609002: Teardown local-host Outside1:192.168.2.22 duration 0:00:00

%ASA-6-302021: Teardown ICMP connection for faddr 172.1.1.20/768 gaddr 192.168.0

.1/0 laddr 192.168.0.1/0

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:02

%ASA-7-609002: Teardown local-host identity:192.168.0.1 duration 0:00:02

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.22

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.22 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

%ASA-7-609002: Teardown local-host Outside1:192.168.2.22 duration 0:00:00

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.20

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.20 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

%ASA-7-609002: Teardown local-host Outside1:192.168.2.20 duration 0:00:00

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host identity:192.168.0.1

%ASA-6-302020: Built inbound ICMP connection for faddr 172.1.1.20/768 gaddr 192.

168.0.1/0 laddr 192.168.0.1/0

%ASA-3-313001: Denied ICMP type=8, code=0 from 172.1.1.20 on interface Inside

%ASA-6-302021: Teardown ICMP connection for faddr 172.1.1.20/768 gaddr 192.168.0

.1/0 laddr 192.168.0.1/0

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:02

%ASA-7-609002: Teardown local-host identity:192.168.0.1 duration 0:00:02

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.20

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.20 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

ASAFCHFW# ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=8455 len=3

2

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=9735 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=9991 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ASAFCHFW#

1039
Views
0
Helpful
25
Replies
CreatePlease to create content