Solved

Cisco ASA denying traffic on inside interface from inside systems.

Posted on 2014-04-05
1
615 Views
Last Modified: 2014-07-19
I have a very strange situation,
ASA5505 in a small office running 8.4(3)
Server (VMware ESXi 5.5.0) with Windows 2008R2 running as a VM. is plugged into the ASA
The ASA is denying icmp and dns packets between the VMware and the Windows server.
they both use the same NIC but obviously have different mac addresses.
If I ssh into the ESXi and try to ping the windows server 1 packet makes it and then the rest are blocked
Source                  Dest                         Message
LNSP-DC1    10.170.1.21   Deny inbound icmp src inside:LNSP-DC1 dst inside:10.170.1.21 (type 0, code 0)


here are my access lists:
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp object-group MailServers any object-group MailService
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
access-list acl_inbound extended permit icmp any any echo-reply
access-list acl_inbound extended permit icmp any any unreachable
access-list acl_inbound extended permit icmp any any time-exceeded
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit udp any any eq isakmp
access-list acl_inbound extended permit tcp object-group MailFilters object-group MailServers
access-list acl_inbound extended permit tcp any object-group WebServers object-group WebPorts
access-list acl_inbound extended permit tcp any object-group TerminalServers object-group RDCPorts
access-list acl_inbound extended permit tcp any object-group TerminalWorkstation object-group RDCPorts

It is impacting other types of traffic also, ssh, vcenter, etc
It just makes no sense at all....
Any help is greatly appreciated.
0
Comment
Question by:brian_appliedcpu
1 Comment
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 39981117
Is this your problem? Ignore the conflict problems look at the proxy arp bit

IP Address Conflicts with VMware ESX and Cisco ASA
Disable proxy-arp


Pete
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question