• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1910
  • Last Modified:

Cisco ASA 8.4 denies packets between two internal subnets

Hello. Our basic config..

10.10.1.1 - ASA 8.4 (5510)
10.10.1.3 - router to 10.10.15.0 subnet

asa has route..

route inside 10.10.15.0 255.255.255.0 10.10.1.3 1

asa can ping 10.10.15.x hosts, however we can't communicate with them, and get this error on the asa:

Deny inbound UDP from 10.10.1.21/5060 to 10.10.15.105/5060 on interface inside


Current config is almost out of the box.


I have tried creating access-lists and network object, but my knowledge is weak, so no success. If someone could please tell me which lines to add and break it down to me, I would very much appreciate it.

Should be a very basic question, no VLANs or anything.

Thanks
0
arthurk123
Asked:
arthurk123
  • 4
  • 2
1 Solution
 
jmeggersCommented:
Looks like the host is sending to the ASA when it should be sending to the 10.10.15.105.  The ASA won't redirect, so my guess is that's why it's denying the packet.  Is the host (10.10.1.21) using the ASA as its default gateway?  Since the ASA won't redirect, I believe it should be using the router as its default gateway instead.
0
 
arthurk123Author Commented:
Yes, the ASA is the default gateway, it is replacing our existing Peplink firewall

The router is just a point to point T1 connection to another office up the street

I am not trying to link different interfaces with different subnets, just stop the ASA from denying the above packets...


I refuse to believe the ASA won't do this. Even a 50 dollar Linksys has the option to put in static routes...
0
 
dcj21Commented:
Need to turn on same security traffic. That allows traffic with the same security level to cross the ASA including going in and out the same interface.

same-security-traffic permit {inter-interface | intra-interface}

inter-interface - Permits communication between different interfaces that have the same security level.
intra-interface - Permits communication in and out of the same

interface.http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
arthurk123Author Commented:
Thank you, you are GOD!

I did run a packet trace and got...

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.15.0      255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


I thought same security traffic was only for different interfaces talking to each other, not same interface.

Thank you many times!
0
 
arthurk123Author Commented:
Exact answer I needed
0
 
dcj21Commented:
This has bit me before - ;-)

Please mark my answer as helpful, I'm trying to earn points for my membership
0
 
arthurk123Author Commented:
done!
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now