Cisco ASA denying traffic on inside interface from inside systems.

Posted on 2014-04-05
Medium Priority
Last Modified: 2014-07-19
I have a very strange situation,
ASA5505 in a small office running 8.4(3)
Server (VMware ESXi 5.5.0) with Windows 2008R2 running as a VM. is plugged into the ASA
The ASA is denying icmp and dns packets between the VMware and the Windows server.
they both use the same NIC but obviously have different mac addresses.
If I ssh into the ESXi and try to ping the windows server 1 packet makes it and then the rest are blocked
Source                  Dest                         Message
LNSP-DC1   Deny inbound icmp src inside:LNSP-DC1 dst inside: (type 0, code 0)

here are my access lists:
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp object-group MailServers any object-group MailService
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
access-list acl_inbound extended permit icmp any any echo-reply
access-list acl_inbound extended permit icmp any any unreachable
access-list acl_inbound extended permit icmp any any time-exceeded
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit udp any any eq isakmp
access-list acl_inbound extended permit tcp object-group MailFilters object-group MailServers
access-list acl_inbound extended permit tcp any object-group WebServers object-group WebPorts
access-list acl_inbound extended permit tcp any object-group TerminalServers object-group RDCPorts
access-list acl_inbound extended permit tcp any object-group TerminalWorkstation object-group RDCPorts

It is impacting other types of traffic also, ssh, vcenter, etc
It just makes no sense at all....
Any help is greatly appreciated.
Question by:brian_appliedcpu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 57

Accepted Solution

Pete Long earned 2000 total points
ID: 39981117
Is this your problem? Ignore the conflict problems look at the proxy arp bit

IP Address Conflicts with VMware ESX and Cisco ASA
Disable proxy-arp


Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The question appears often enough, how do I transfer my data from my old server to the new server while preserving file shares, share permissions, and NTFS permisions.  Here are my tips for handling such a transfer.
The business world is becoming increasingly integrated with tech. It’s not just for a select few anymore — but what about if you have a small business? It may be easier than you think to integrate technology into your small business, and it’s likely…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month7 days, 21 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question