Solved

Cisco ASA 8.4 denies packets between two internal subnets

Posted on 2011-09-23
7
1,871 Views
Last Modified: 2012-05-12
Hello. Our basic config..

10.10.1.1 - ASA 8.4 (5510)
10.10.1.3 - router to 10.10.15.0 subnet

asa has route..

route inside 10.10.15.0 255.255.255.0 10.10.1.3 1

asa can ping 10.10.15.x hosts, however we can't communicate with them, and get this error on the asa:

Deny inbound UDP from 10.10.1.21/5060 to 10.10.15.105/5060 on interface inside


Current config is almost out of the box.


I have tried creating access-lists and network object, but my knowledge is weak, so no success. If someone could please tell me which lines to add and break it down to me, I would very much appreciate it.

Should be a very basic question, no VLANs or anything.

Thanks
0
Comment
Question by:arthurk123
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36591097
Looks like the host is sending to the ASA when it should be sending to the 10.10.15.105.  The ASA won't redirect, so my guess is that's why it's denying the packet.  Is the host (10.10.1.21) using the ASA as its default gateway?  Since the ASA won't redirect, I believe it should be using the router as its default gateway instead.
0
 

Author Comment

by:arthurk123
ID: 36592820
Yes, the ASA is the default gateway, it is replacing our existing Peplink firewall

The router is just a point to point T1 connection to another office up the street

I am not trying to link different interfaces with different subnets, just stop the ASA from denying the above packets...


I refuse to believe the ASA won't do this. Even a 50 dollar Linksys has the option to put in static routes...
0
 
LVL 4

Accepted Solution

by:
dcj21 earned 500 total points
ID: 36593615
Need to turn on same security traffic. That allows traffic with the same security level to cross the ASA including going in and out the same interface.

same-security-traffic permit {inter-interface | intra-interface}

inter-interface - Permits communication between different interfaces that have the same security level.
intra-interface - Permits communication in and out of the same

interface.http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:arthurk123
ID: 36593735
Thank you, you are GOD!

I did run a packet trace and got...

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.15.0      255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


I thought same security traffic was only for different interfaces talking to each other, not same interface.

Thank you many times!
0
 

Author Closing Comment

by:arthurk123
ID: 36593744
Exact answer I needed
0
 
LVL 4

Expert Comment

by:dcj21
ID: 36593745
This has bit me before - ;-)

Please mark my answer as helpful, I'm trying to earn points for my membership
0
 

Author Comment

by:arthurk123
ID: 36593752
done!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MiTM SSH session on a Cisco device talking TACACS+ 1 60
Cisco Air AP 6 41
cisco nexus experiance 2 57
Not able to route between subnets 8 103
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now