Networking weirdness

Hello,

A client has a weird problem. They have a class A network, let's call it 10.0.0.0/8. They have an ASA5525-X with Firepower.

An internal workstation like 10.0.1.100 cannot ping or browse to an internal web server 10.0.1.200 load balanced over two real servers, 10.0.1.180 and 10.0.1.181. All have the right subnet mask, gateways and DNS servers. While at the same time, another workstation like 10.0.2.24 can access the webserver. We've looked at the routes on both and they are identical. However, a packet-tracer on the ASA fails for both workstations. To complicate things, another workstation which could not access the website on Friday, can today.

The packet-tracer output:

firewall/pri/act# packet-tracer input inside tcp 10.0.1.100 2938 10.0.1.200 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.200 using egress ifc  inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,any) source static any any destination static obj-10.0.0.0 obj-10.0.0.0 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.0.1.200/80 to 10.0.1.200/80

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
output-interface: inside
output-status: up
output-line-status: up
Action: drop


Please help. Thank you.
LVL 21
netcmhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
What are the masks of the on the 10.0.1.100 and 10.0.1.200 hosts
0
netcmhAuthor Commented:
255.0.0.0
0
netcmhAuthor Commented:
Please ignore. Hair pining was not implement correctly. Same-security-traffic permit intra-interface fixed the issue.

Sorry for bothering you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
netcmhAuthor Commented:
Figured out what the issue was. Fix is listed above.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASA

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.