Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

some trouble in configuring acl

Hi, can someone help me in configuring acl on asa 5055.

i have inside network, outside network and third network. any time when i try to make connection betwwen to host in inside network with packettracer of the firewall i get this(see the image), can someone tell me why i getting that (message droped) ?why i get this.JPG

Everyone's tags (3)
5 REPLIES
VIP Green

some trouble in configuring acl

Without seeing your configuration, I assume that you inside subnet is a /24.  If so, packets that are on the same subnet will never pass through the ASA as this traffic is handled only by switches.  If the ASA sees this type of traffic it will assume it is a spoofed packet and it will be dropped.  So this is completely normal behavior.

Now if these networks are on different subnets (ie. they are on a /28 network for example) then there might be a configuration problem.  If this is the case please post a full sanitised running config of your ASA so we can help you further.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

some trouble in configuring acl

i have 03 network , the first :

1- the main network to protect it(inside): @IP 192.168.23.0/25

2-the outside network(internet): @IP 192.168.1.254/24

3- other network to connect with it : @IP 10.66.0.200/27

for exemple with this configuration, when i send an http packet from 192.168.23.23 to 192.168.23.33 it droped.?

PS , i created a rule to permit http from any to any in inside.

VIP Green

some trouble in configuring acl

for exemple with this configuration, when i send an http packet from 192.168.23.23 to 192.168.23.33 it droped.?

This traffic will never hit the ASA, this is most likely an issue either with the host machines themselves or perhaps a misconfiguration of the switch between them.

Are these windows machines?  If so have you tried disabling the windows firewall and test to see if traffic is permitted then?  Perhaps if there is an antivus software installed on them that has a built in firewall that is blocking traffic.  I have had some cases (especially with McAfee) where this is the case.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer

some trouble in configuring acl

Hello .

As Marius said traffic on the same subnet should never reach the firewall but if they were on different subnets or u need U-turn.

  • same security permit intra-interface
  • If an ACL is configured on the Inside, Allow the traffic there
  • Before 8.3 regularly a Global NAT

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

some trouble in configuring acl

Hello,

192.168.23.23 to 192.168.23.33 it droped.?

No, they are on the same subnet so the firewall should not see that traffic.

In fact if you do a capture on the ASA itself while you generate the traffic you should not capture any data.

Traffic withing the same subnet should be L2 switched only

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
178
Views
0
Helpful
5
Replies
CreatePlease login to create content