INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!

Talk With Other Members
Be Notified Of Responses
To Your Posts
Keyword Search
One-Click Access To Your
Favorite Forums
Automated Signatures
On Your Posts
Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Tek-Tips LinkedIn^® Group

Join our
LinkedIn^® Group!

Hook up with past and present colleagues and classmates quickly.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site

(Download This Button Today!)

Feedback

"...One of the best run forums I have used in years! ...I like the way the site is organized and your no tolerance of flames..."

More...

Geography

Where in the world do Tek-Tips members come from?

Click Here To Find Out!

Tek-Tips Shirts!

Get your
Tek-Tips Forums
SWAG here!

Home > Forums > MIS/IT > Security Solutions > Cisco Systems: ASA Series Forum

Routing or firewall?

Read More Threads Like This One

cmptreasy (IS/IT--Management)

6 Oct 11 10:46

I have 3 networks. Networks A and B are local, and attached to an ASA firewall and are operating as desired. Network C is remote, and is connected to network A through a PIX firewall VPN, and is also operating normally. The issue is that network B cannot communicate with network C through the VPN tunnel that is established. From network A, I can ping all devices on network B and C, which is good. From network B, I can ping devices on network A and only the outside public interface of the remote PIX connected to network C, nothing inside. From network C, I can ping devices on network A but only the ASA interface connected to network B, nothing inside network B interface.

While in network C, I need to be able to address all devices on networks A and B and vice versa. By virtue of the ability to ping the interface of network B, it appears that the ping traffic is going up the VPN tunnel, so I am at a loss to explain why devices on network B cannot communicate to network C and vice versa. Bottom line is that I need traffic from all 3 networks to freely pass all interfaces, which is occurring between networks A and B, and A and C, but not B and C. What am I missing? I can share firewall configs if necessary..

stubnski (MIS)

6 Oct 11 15:43

Hi, Please post the scrubbed configs.

Stubnski

cmptreasy (IS/IT--Management)

6 Oct 11 16:05

Result of the command: "show tech"

Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)

Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"

fw-phoenix up 65 days 7 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0         : address is 0023.5ee5.ecca, irq 9
1: Ext: Ethernet0/1         : address is 0023.5ee5.eccb, irq 9
2: Ext: Ethernet0/2         : address is 0023.5ee5.eccc, irq 9
3: Ext: Ethernet0/3         : address is 0023.5ee5.eccd, irq 9
4: Ext: Management0/0       : address is 0023.5ee5.ecce, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 150

This platform has an ASA 5510 Security Plus license.

0xb17078c4 0x0c1f10bb
Configuration register is 0x1
Configuration last modified by dhall at 13:09:25.759 MST Fri Sep 23 2011

------------------ show clock ------------------

06:40:03.759 MST Wed Oct 5 2011

------------------ show memory ------------------

Free memory:       199531440 bytes (74%)
Used memory:        68904016 bytes (26%)
-------------     ----------------
Total memory:      268435456 bytes (100%)

------------------ show conn count ------------------

424 in use, 21379 most used

------------------ show xlate count ------------------

209 in use, 2077 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4    300    276    299
    80    100     88    100
   256   2612   2589   2612
  1550   9251   7463   7718
  2048    100     99    100
  2560     40     40     40
  4096     30     30     30
  8192     60     60     60
16384    102    102    102
65536     10     10     10

------------------ show blocks queue history detail ------------------

History buffer memory usage: 2136 bytes (default)

------------------ show interface ------------------

Interface Ethernet0/0 "outside1", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
    Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
    Description: Outside interface for 159.87.64.x network
    MAC address 0023.5ee5.ecca, MTU 1500
    IP address x.x.x.x, subnet mask 255.255.255.0
    854376435 packets input, 337054190678 bytes, 0 no buffer
    Received 2188417 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    1077842024 packets output, 1275212842473 bytes, 244 underruns
    17819 output errors, 12437850 collisions, 0 interface resets
    25023979 late collisions, 59368255 deferred
    0 input reset drops, 0 output reset drops
    input queue (curr/max packets): hardware (0/31)
    output queue (curr/max packets): hardware (0/255)
  Traffic Statistics for "outside1":
    854376435 packets input, 321407381200 bytes
    1102884060 packets output, 1291393465718 bytes
    1890863 packets dropped
      1 minute input rate 397 pkts/sec,  44155 bytes/sec
      1 minute output rate 627 pkts/sec,  880960 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 418 pkts/sec,  69282 bytes/sec
      5 minute output rate 638 pkts/sec,  882648 bytes/sec
      5 minute drop rate, 0 pkts/sec
  Control Point Interface States:
    Interface number is 1
    Interface config status is active
    Interface state is active
Interface Ethernet0/1 "inside1", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Description: First inside interface for 172.16.10.x network
    MAC address 0023.5ee5.eccb, MTU 1500
    IP address x.x.x.x, subnet mask 255.255.255.0
    1100607635 packets input, 1242962832373 bytes, 1249 no buffer
    Received 15044716 broadcasts, 0 runts, 0 giants
    325 input errors, 0 CRC, 0 frame, 325 overrun, 0 ignored, 0 abort
    206584 L2 decode drops
    851010009 packets output, 311646453487 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 late collisions, 0 deferred
    0 input reset drops, 0 output reset drops
    input queue (curr/max packets): hardware (5/33)
    output queue (curr/max packets): hardware (0/159)
  Traffic Statistics for "inside1":
    1100366569 packets input, 1222334138781 bytes
    851010009 packets output, 293995135644 bytes
    10275473 packets dropped
      1 minute input rate 631 pkts/sec,  846786 bytes/sec
      1 minute output rate 402 pkts/sec,  25988 bytes/sec
      1 minute drop rate, 1 pkts/sec
      5 minute input rate 639 pkts/sec,  849647 bytes/sec
      5 minute output rate 421 pkts/sec,  50196 bytes/sec
      5 minute drop rate, 2 pkts/sec
  Control Point Interface States:
    Interface number is 2
    Interface config status is active
    Interface state is active
Interface Ethernet0/2 "Inside2", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Description: Interface for OPM Server farm
    MAC address 0023.5ee5.eccc, MTU 1500
    IP address x.x.x.x, subnet mask 255.255.255.0
    63594451 packets input, 54107501427 bytes, 0 no buffer
    Received 1172855 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    56073475 packets output, 25803528720 bytes, 0 underruns
    0 output errors, 0 collisions, 1 interface resets
    0 late collisions, 0 deferred
    0 input reset drops, 0 output reset drops
    input queue (curr/max packets): hardware (1/33)
    output queue (curr/max packets): hardware (0/32)
  Traffic Statistics for "Inside2":
    63594423 packets input, 52908439223 bytes
    56073475 packets output, 24661286310 bytes
    1104920 packets dropped
      1 minute input rate 5 pkts/sec,  3717 bytes/sec
      1 minute output rate 3 pkts/sec,  346 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 5 pkts/sec,  3073 bytes/sec
      5 minute output rate 4 pkts/sec,  770 bytes/sec
      5 minute drop rate, 0 pkts/sec
  Control Point Interface States:
    Interface number is 3
    Interface config status is active
    Interface state is active
Interface Ethernet0/3 "", is administratively down, line protocol is down
  Hardware is i82546GB rev03, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 0023.5ee5.eccd, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 late collisions, 0 deferred
    0 input reset drops, 0 output reset drops
    input queue (curr/max packets): hardware (0/0)
    output queue (curr/max packets): hardware (0/0)
  Control Point Interface States:
    Interface number is unassigned
Interface Management0/0 "management", is down, line protocol is down
  Hardware is i82557, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    MAC address 0023.5ee5.ecce, MTU 1500
    IP address 192.168.1.1, subnet mask 255.255.255.0
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max packets): hardware (0/0) software (0/0)
    output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "management":
    0 packets input, 0 bytes
    0 packets output, 0 bytes
    0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
    Management-only interface. Blocked 0 through-the-device packets
        0 IPv4 packets originated from management network
        0 IPv4 packets destined to management network
        0 IPv6 packets originated from management network
        0 IPv6 packets destined to management network
  Control Point Interface States:
    Interface number is 4
    Interface config status is active
    Interface state is not active

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 2%; 1 minute: 2%; 5 minutes: 2%

------------------ show process ------------------

    PC       SP       STATE       Runtime    SBASE     Stack Process
Lwe 0010611d 011388c8 00ea7480          0 01136940 8072/8192 block_diag
Mrd 00210368 0128ace0 00ea7520   32491851 0126ad98 126572/131072 Dispatch Unit
Mwe 003d2125 0128fd78 00ea7438          0 0128de00 7764/8192 CF OIR
Mwe 00118e7d 019161b8 00ea7438          0 01914240 7788/8192 Reload Control Thread
Mwe 0011d13a 01920d90 00ea9308         20 0191ce48 14052/16384 aaa
Mwe 0013a8fe 01927858 00ea9b30          0 01923920 15820/16384 CMGR Server Process
Mwe 0013aec1 019299c0 00ea7438          0 01927a48 7960/8192 CMGR Timer Process
Lwe 0020f8f2 01933f88 00eb2040          0 01932010 7308/8192 dbgtrace
Msi 0043d9d7 019381d8 00ea7438      14564 01936260 7712/8192 557mcfix
Msi 0043d981 0193a300 00ea7438          3 01938388 7792/8192 557statspoll
Mwe 00c6eb85 0194abd0 00ea7438          0 01948c48 7804/8192 Chunk Manager
Msi 0079a9d6 01954068 00ea7438      25618 01952100 7460/8192 PIX Garbage Collector
Lsi 00b3cf5d 019561b0 00ea7438       1111 01954228 7444/8192 route_process
Mwe 007891e1 0195ee60 00e2f7e0          2 0195cee8 7500/8192 IP Address Assign
Mwe 0097f5b1 01964c28 00e3bd20          0 01962cb0 8056/8192 QoS Support Module
Mwe 007fa039 01966d88 00e304fc          1 01964e10 7688/8192 Client Update Task
Lwe 00c8bca1 01969668 00ea7438    3028796 019676f0 7544/8192 Checkheaps
Mwe 009bdd01 0196f9d0 00ea7438       4642 0196da68 7276/8192 Session Manager
Mwe 00ac29ed 0197a6c8 02f593f8          8 019767e0 15620/16384 uauth
Mwe 00a5c091 0197c880 00e48bb0          0 0197a908 7308/8192 Uauth_Proxy
Mwe 00abe79d 01980aa0 00e4af80          0 0197eb58 7660/8192 SMTP
Mwe 00aae8a5 01982bd8 00e4a948    1234535 01980c80 5820/8192 Logger
Mwe 00aaff71 01984d20 00ea7438          0 01982da8 7292/8192 Thread Logger
Mwe 00bb9493 01991400 00e755b8          0 0198f498 6956/8192 vpnlb_thread
Msi 00501a1b 01948a98 00ea7438      35349 01946b20 7184/8192 arp_timer
Mwe 0050ba11 0192dc00 00ec0508          0 0192bc98 7964/8192 arp_forward_thread
Msi 00ac4e7b 02136ae0 00ea7438       1144 02134b78 5516/8192 tcp_fast
Msi 00ac4c4f 02138af8 00ea7438        562 02136ba0 6188/8192 tcp_slow
Mwe 00ad5a9f 02148d10 00e4bb10          0 02146da8 8040/8192 udp_timer
Mwe 0018ae29 0197e9b8 00ea7438          0 0197ca30 7976/8192 CTCP Timer process
Mwe 00b699ed 02e21450 00ea7438          0 02e1f4f8 7928/8192 L2TP data daemon
Mwe 00b697dd 02e23488 00ea7438          0 02e21520 7944/8192 L2TP mgmt daemon
Mwe 00b533b7 02e5b590 00e70348       4152 02e57628 16052/16384 ppp_timer_thread
Msi 00bb9e9e 02e5d598 00ea7438      19817 02e5b650 7664/8192 vpnlb_timer_thread
Mwe 001a40e0 0198d1a0 0192efd8       3497 0198b248 5332/8192 IPsec message handler
Msi 001b4b55 02e626d8 00ea7438     316206 02e60770 6308/8192 CTM message handler
Mwe 008237bf 02ed72e8 00ea7438          0 02ed5380 7644/8192 NAT security-level reconfiguration
Mwe 00730835 02eeca88 00ea7438      11194 02ee8b20 15120/16384 IP Background
Mwe 00208657 02f4a600 00e09580      17270 02f2a6b8 122964/131072 tmatch compile thread
Mwe 008c4eed 0300c998 00ea7438          0 03008a10 15996/16384 Crypto PKI RECV
Mwe 008cb211 0300eab0 00ea7438          0 0300cb38 7788/8192 Crypto CA
Mwe 00b90ec0 0302a7b8 00e74794          0 03028860 8024/8192 vpnfo_thread_msg
Msi 00b9efcf 0302c8e0 00ea7438      19113 0302a988 7680/8192 vpnfo_thread_timer
Mwe 00b9b987 0302ea08 00e748a8          0 0302cab0 8024/8192 vpnfo_thread_sync
Msi 00b9e888 03030b40 00ea7438     108737 0302ebd8 7684/8192 vpnfo_thread_unsent
Lsi 007b11f9 03048ee8 00ea7438        271 03046f70 7736/8192 uauth_urlb clean
Lwe 00794ab5 031f7a78 00ea7438       8940 031f5b00 7128/8192 pm_timer_thread
Mwe 00494331 031fa858 00ea7438      81894 031f88e0 7572/8192 IKE Timekeeper
Mwe 00485d15 031ffd00 00e243b8     590627 031fc0a8 11292/16384 IKE Daemon
Mwe 00a69801 03202e08 00e4a130          0 03200e90 8056/8192 RADIUS Proxy Event Daemon
Mwe 00a3c814 03204dc0 0198e9e0         36 03202fb8 7244/8192 RADIUS Proxy Listener
Mwe 00a6b71d 03207068 00ea7438          0 032050e0 7976/8192 RADIUS Proxy Time Keeper
Mwe 002197b7 032454b0 00ce1348      22780 0323db78 28600/32768 ci/console
Msi 003fa636 03247bd8 00ea7438      11733 03245ca0 6920/8192 fover_thread
Mwe 00b362c2 03249d10 00f919d8        800 03247dc8 7492/8192 lu_ctl
Csi 007cd071 0324be58 00ea7438     184792 03249ef0 6456/8192 update_cpu_usage
Msi 007cd871 03251ff8 00ea7438     411683 03250140 5668/8192 NIC status poll
Mwe 003ee7d1 0196b750 00ebae78          0 01969818 7992/8192 fover_rx
Mwe 003f0565 03258480 00ebaed4          0 03256508 8056/8192 fover_tx
Mwe 003f740d 0325a4a8 00ec0580          0 03258530 8012/8192 fover_ip
Mwe 00400de1 0325e2c0 00ebaee8          0 0325a558 15644/16384 fover_rep
Mwe 003f10f6 032621d8 00ebaef0       6546 0325e580 15268/16384 fover_parse
Mwe 003e36ea 03264500 00eb9000       5059 032625a8 7844/8192 fover_ifc_test
Mwe 003e5e81 03266548 00ea7438          0 032645d0 7960/8192 fover_health_monitoring_thread
Mwe 004106ad 0326a798 00ea7438          0 03268820 7960/8192 ha_trans_ctl_tx
Mwe 004106ad 0327d7e8 00ea7438          0 0327b870 7960/8192 ha_trans_data_tx
Mwe 00408a5d 0327f810 00ea7438          0 0327d898 7012/8192 fover_FSM_thread
Mwe 00b366ed 03281838 00ec0640          0 0327f8c0 7900/8192 lu_rx
Lwe 00b36679 03283870 00f91908          0 032818e8 8072/8192 lu_dynamic_sync
Mwe 004f9b3d 03473970 00ec0710     113285 0346fa08 13192/16384 IP Thread
Mwe 004ff801 034759a8 00ec06d0     479695 03473a30 5324/8192 ARP Thread
Mwe 004426d5 034779d0 00ec0578       6574 03475a58 5896/8192 icmp_thread
Mwe 00ad54b0 03479918 02146bc4          0 03477a80 7832/8192 riprx
Msi 0099af89 0347ba20 00ea7438       1163 03479aa8 7500/8192 riptx
Mwe 00ad5af7 0347da28 00ea7438      12582 0347bad0 7624/8192 udp_thread
Mwe 00ac53f9 0347f940 00ec0708       4277 0347daf8 4808/8192 tcp_thread
Mwe 00549df1 03688ff0 00e25f8c          0 03687078 8056/8192 kerberos_work
Mwe 0010b3f5 0368af48 00ea7438          0 036890a0 7596/8192 kerberos_recv
Mwe 00980ec9 036a2fa0 00e3bd84        279 036a1028 5244/8192 radius_snd
Mwe 00ad54b0 036a4cc8 02146b18          3 036a3150 6092/8192 radius_rcv_auth
Mwe 00ad54b0 036a6df0 02146a6c          0 036a5278 6588/8192 radius_rcv_acct
Mwe 00ac2e0f 039bfbe8 040c4050         23 039bdd30 7412/8192 listen/https
Mwe 00297ee6 039c3cb0 00ea7438       5451 039bfd58 12740/16384 emweb/https
Mwe 00292639 03ccffe8 00ea7438       1237 03cce070 7592/8192 Timekeeper
Mwe 00ad54b0 03cd5860 02146914          0 03cd3fd8 6280/8192 snmp
Mwe 00a3c814 03cfecf8 03ce1298      57896 03cfcef0 7256/8192 IKE Receiver
Mwe 00ac2e0f 03d5f940 03e42948          0 03d5dae8 7332/8192 listen/telnet
Mwe 00ac2e0f 03d62440 03de0b48          3 03d605e8 5900/8192 listen/ssh
Mwe 006c5531 03daa4b8 00ea7438      56927 03da8540 4836/8192 NTP
Mwe 0076fd78 04379da0 02fe1e1c         97 04372408 28412/32768 accept/http
Mwe 0076e7b1 0436ea58 00ea7438         20 04366e80 28940/32768 accept/http
Mwe 00964514 04351570 00f2d9e8        375 0434f618 7828/8192 qos_metric_daemon
M*  00742953 0009feec 00ea7520        368 043c1700 24364/32768 accept/http
-     -        -         -    5604316072    -         -     scheduler
-     -        -         -    5643812625    -         -     total elapsed

------------------ show failover ------------------

Failover Off
Failover unit Secondary
Failover LAN Interface: not Configured
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum

------------------ show traffic ------------------

outside1:
    received (in 1348515.514 secs):
        854376435 packets    321407381200 bytes
        2 pkts/sec    238000 bytes/sec
    transmitted (in 1348515.514 secs):
        1102884060 packets    1291393465718 bytes
        2 pkts/sec    957000 bytes/sec
      1 minute input rate 397 pkts/sec,  44155 bytes/sec
      1 minute output rate 627 pkts/sec,  880960 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 418 pkts/sec,  69282 bytes/sec
      5 minute output rate 638 pkts/sec,  882648 bytes/sec
      5 minute drop rate, 0 pkts/sec
inside1:
    received (in 1348515.514 secs):
        1100366569 packets    1222334138781 bytes
        0 pkts/sec    906002 bytes/sec
    transmitted (in 1348515.514 secs):
        851010009 packets    293995135644 bytes
        0 pkts/sec    218001 bytes/sec
      1 minute input rate 631 pkts/sec,  846786 bytes/sec
      1 minute output rate 402 pkts/sec,  25988 bytes/sec
      1 minute drop rate, 1 pkts/sec
      5 minute input rate 639 pkts/sec,  849647 bytes/sec
      5 minute output rate 421 pkts/sec,  50196 bytes/sec
      5 minute drop rate, 2 pkts/sec
Inside2:
    received (in 1348515.514 secs):
        63594423 packets    52908439223 bytes
        2 pkts/sec    39002 bytes/sec
    transmitted (in 1348515.514 secs):
        56073475 packets    24661286310 bytes
        0 pkts/sec    18001 bytes/sec
      1 minute input rate 5 pkts/sec,  3717 bytes/sec
      1 minute output rate 3 pkts/sec,  346 bytes/sec
      1 minute drop rate, 0 pk

unclerico (IS/IT--Management)

6 Oct 11 22:15

quite a bit of your config is still missing. post the scrubbed output from show run

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

cmptreasy (IS/IT--Management)

7 Oct 11 10:20

The more I look at this, the more I think it may be a route issue, although I am still not sure.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.0(8)
!
hostname fw
domain-name DOMAIN
enable password ****** encrypted
passwd ****** encrypted
no names
dns-guard
!
interface Ethernet0/0
description Outside interface for 159.87.64.x network
nameif outside1
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
description First inside interface for 172.16.10.x network
nameif inside1
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
description Interface for OPM Server farm
nameif Inside2
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone MST -7
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Hosts
network-object 172.16.10.19 255.255.255.255
network-object 172.16.10.22 255.255.255.255
network-object 172.16.10.23 255.255.255.255
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.21 255.255.255.255
network-object 172.16.10.254 255.255.255.255
object-group network All_VPN
network-object 172.16.11.0 255.255.255.0
network-object 172.16.12.0 255.255.255.0
network-object 172.16.17.0 255.255.255.0
network-object 172.16.18.0 255.255.255.0
network-object 172.16.14.0 255.255.255.0
network-object 172.16.15.0 255.255.255.0
object-group service ActiveDir tcp
port-object eq ldap
port-object eq kerberos
port-object eq netbios-ssn
port-object eq 88
port-object eq 3269
port-object eq domain
port-object eq 3268
port-object eq ldaps
port-object eq 445
object-group service DNS tcp-udp
port-object eq domain
port-object eq 88
port-object eq 389
object-group network insideDNS
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.18 255.255.255.255
network-object 172.16.10.24 255.255.255.255
object-group network insideDC
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.18 255.255.255.255
object-group network ITManagers
network-object 172.16.10.13 255.255.255.255
network-object 172.16.10.16 255.255.255.255
object-group service Mail tcp
port-object eq 691
port-object eq pop3
port-object eq imap4
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 995
port-object eq 993
port-object eq aol
port-object range 1024 65535
port-object eq 135
port-object eq netbios-ssn
object-group network CiscoClients
network-object 172.16.10.224 255.255.255.240
object-group network CiscoClients_Outside
network-object 172.16.10.224 255.255.255.240
object-group network Remote_switches
network-object 10.0.0.0 255.0.0.0
object-group service Citrix tcp
port-object range citrix-ica citrix-ica
port-object eq www
port-object eq https
object-group service Webports tcp
port-object eq www
port-object eq https
object-group network OPM_HTTP
network-object 10.168.30.106 255.255.255.255
network-object 10.168.30.65 255.255.255.255
network-object 10.168.30.60 255.255.255.255
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.7 255.255.255.255
object-group network OPM_HTTPS
network-object 10.168.30.106 255.255.255.255
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.60 255.255.255.255
network-object 10.168.30.65 255.255.255.255
object-group network OPM_SSH
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.65 255.255.255.255
network-object 10.168.30.60 255.255.255.255
object-group network OPM_HTTP_ref_1
network-object 159.87.64.106 255.255.255.255
network-object 159.87.64.31 255.255.255.255
network-object 159.87.64.60 255.255.255.255
network-object 159.87.64.5 255.255.255.255
network-object 159.87.64.7 255.255.255.255
object-group network OPM_HTTPS_ref_1
network-object 159.87.64.106 255.255.255.255
network-object 159.87.64.5 255.255.255.255
network-object 159.87.64.60 255.255.255.255
network-object 159.87.64.31 255.255.255.255
access-list outside1_cryptomap_10 extended permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list outside1_cryptomap_10 extended permit ip 10.168.30.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list Net standard permit 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.9.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.17.0 255.255.255.0
access-list outside1_access_in extended deny ip host 203.229.126.240 any
access-list outside1_access_in extended deny ip host 208.85.53.26 any
access-list outside1_access_in extended deny ip host 66.231.80.236 any
access-list outside1_access_in extended deny ip host 208.69.101.152 any
access-list outside1_access_in extended deny ip host 208.85.51.96 any
access-list outside1_access_in extended deny ip host 69.25.202.44 any
access-list outside1_access_in extended deny ip host 69.25.202.43 any
access-list outside1_access_in extended permit ip 172.16.18.0 255.255.255.0 any
access-list outside1_access_in extended permit icmp host 159.87.222.1 any
access-list outside1_access_in extended permit ip 159.87.0.0 255.255.0.0 159.87.64.0 255.255.255.0 log notifications
access-list outside1_access_in extended permit tcp object-group All_VPN gt 1024 host 172.16.10.21 log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group insideDNS log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group insideDNS object-group ActiveDir log
access-list outside1_access_in extended permit udp object-group All_VPN object-group insideDNS log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group ActiveDir object-group insideDC log
access-list outside1_access_in extended permit ip object-group CiscoClients_Outside any
access-list outside1_access_in extended permit tcp any object-group Mail host x.x.x.x log
access-list outside1_access_in extended permit tcp host 198.151.212.32 host 159.87.64.6 eq 1433
access-list outside1_access_in extended permit tcp any object-group Webports host 159.87.64.6
access-list outside1_access_in extended permit tcp any object-group Mail host 159.87.64.241 log
access-list outside1_access_in extended permit ip object-group All_VPN host 172.16.10.28 inactive
access-list outside1_access_in extended permit icmp host 209.181.122.61 any
access-list outside1_access_in extended deny ip host 124.120.232.250 any
access-list outside1_access_in extended permit tcp any host x.x.x.x object-group Citrix log
access-list outside1_access_in extended permit ip any host x.x.x.x
access-list outside1_access_in extended permit tcp any object-group DNS x.x.x.x 255.255.255.0
access-list outside1_access_in extended permit tcp any object-group OPM_HTTP_ref_1 eq www
access-list outside1_access_in extended permit tcp any object-group OPM_HTTPS_ref_1 eq https
access-list outside1_access_in extended permit tcp any object-group OPM_SSH_ref_1 eq ssh
access-list outside1_access_in extended deny tcp host 178.73.217.168 any
access-list outside1_access_in extended deny tcp host 82.192.88.2 any
access-list outside1_access_in extended deny tcp host 75.88.23.33 any
access-list outside1_access_in extended permit icmp 172.16.11.0 255.255.255.0 any
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 64.202.160.40 eq https
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 64.202.160.40 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 149.5.128.0 255.255.255.0 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 149.5.128.0 255.255.255.0 eq https
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 24.248.61.65 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 216.161.172.34 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 63.245.209.10 range 1024 65535
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 66.135.33.47 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 184.168.239.1 eq www
access-list inside1_access_in extended permit ip host 172.16.10.62 172.16.10.0 255.255.255.0
access-list inside1_access_in extended permit ip host 172.16.10.62 10.168.30.0 255.255.255.0
access-list inside1_access_in extended deny ip host 172.16.10.62 any
access-list inside1_access_in extended permit ip any any log warnings
access-list inside1_access_in extended permit icmp any any log warnings inactive
access-list inside1_access_in extended permit tcp host 172.16.10.19 eq smtp any
access-list inside1_access_in extended deny tcp any eq smtp any
access-list capin extended permit ip host 172.16.10.12 any
access-list capin extended permit ip any host 172.16.10.12
access-list outside1_cryptomap_dyn_40 extended permit ip any 172.16.10.224 255.255.255.240
access-list outside1_nat0_inbound extended permit ip object-group CiscoClients_Outside object-group ****_Hosts
access-list outside1_cryptomap_30 extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list cout extended permit ip host x.x.x.x host 159.87.70.66
access-list cout extended permit ip host x.x.x.x host 159.87.64.30
access-list inside2_access_in extended permit ip any any log
access-list outside1_cryptomap_30_1 extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list cin extended permit ip host 172.16.10.110 host 159.87.70.66
access-list cin extended permit ip host x.x.x.x host 172.16.10.110
access-list outside1_cryptomap_80 extended permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list outside1_cryptomap105 extended permit ip any 172.16.15.0 255.255.255.0
access-list outside1_cryptomap_20 extended permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list outside1_cryptomap_40_1 extended permit ip 172.16.10.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list Inside2_access_in extended permit tcp 10.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0 log warnings
access-list Inside2_access_in extended permit tcp any any log warnings
access-list Inside2_access_in extended permit ip any any
access-list Inside2_access_in extended permit tcp any x.x.x.x 255.255.255.128
access-list nonat2 extended permit ip 10.168.30.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list outside1_cryptomap_60 extended permit ip 172.16.10.0 255.255.255.0 172.16.17.0 255.255.255.0
!
http-map http-map
strict-http action allow log
!
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging console warnings
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside1 172.16.10.12
logging debug-trace
mtu outside1 1500
mtu inside1 1500
mtu Inside2 1500
mtu management 1500
ip local pool DefaultRSPool 172.16.10.224-172.16.10.239 mask 255.255.255.0
no failover
monitor-interface outside1
monitor-interface inside1
monitor-interface Inside2
monitor-interface management
icmp permit any outside1
icmp permit any inside1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (outside1) 0 access-list outside1_nat0_inbound outside
nat (outside1) 1 172.16.0.0 255.255.0.0
nat (inside1) 0 access-list nonat
nat (inside1) 1 172.16.10.0 255.255.255.0
nat (Inside2) 0 access-list nonat2
nat (Inside2) 1 10.168.30.0 255.255.255.0
static (inside1,outside1) x.x.x.x 172.16.10.21 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.19 netmask 255.255.255.255
static (inside1,inside1) 172.16.11.0 159.87.60.146 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.22 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.10 netmask 255.255.255.255
static (inside1,inside1) 172.16.12.0 209.181.122.61 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.254 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.32 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.39 netmask 255.255.255.255
static (inside1,inside1) 172.16.18.0 x.x.x.x netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.26 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.44 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.34 netmask 255.255.255.255
static (inside1,inside1) 172.16.14.0 x.x.x.x netmask 255.255.255.255
static (inside1,inside1) 172.16.15.0 x.x.x.x netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.53 netmask 255.255.255.255
static (inside1,Inside2) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
static (Inside2,inside1) 10.168.30.0 10.168.30.0 netmask 255.255.255.0
static (inside1,Inside2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (Inside2,outside1) x.x.x.x 10.168.30.7 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.106 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.5 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.60 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.65 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.22 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.3 netmask 255.255.255.255
static (inside1,inside1) 172.16.17.0 x.x.x.x netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.67 netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group inside1_access_in in interface inside1
access-group Inside2_access_in in interface Inside2
route outside1 0.0.0.0 0.0.0.0 159.87.64.1 1
timeout xlate 10:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 9:05:00 absolute uauth 9:00:00 inactivity
aaa-server vpn protocol kerberos
aaa-server vpn (inside1) host 172.16.10.17
kerberos-realm DOMAIN
aaa-server  protocol radius
aaa-server  (inside1) host 172.16.10.17
key *****
radius-common-pw ****
group-policy DfltGrpPolicy attributes
wins-server none
dns-server value 172.16.10.24 172.16.10.18
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value DOMAIN
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy CiscoClient internal
group-policy CiscoClient attributes
dns-server value 172.16.10.24 172.16.10.18
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
group-lock value CiscoClient
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Net
default-domain value DOMAIN
webvpn
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside1
http x.x.x.x 255.255.255.255 outside1
http x.x.x.x 255.255.255.0 outside1
http 172.16.10.16 255.255.255.255 inside1
http 172.16.10.13 255.255.255.255 inside1
http 172.16.10.0 255.255.255.0 inside1
http 192.168.1.0 255.255.255.0 management
snmp-server host inside1 172.16.10.16 community public
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please type your username and password
auth-prompt reject Invalid redentials
crypto ipsec transform-set Set esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set **** esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DynMap 20 set transform-set ****Set
crypto dynamic-map DynMap 20 set security-association lifetime seconds 28800
crypto dynamic-map DynMap 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map DynMap 25 set transform-set ****Set
crypto dynamic-map DynMap 25 set security-association lifetime seconds 28800
crypto dynamic-map DynMap 25 set security-association lifetime kilobytes 4608000
crypto map ****Map 10 match address outside1_cryptomap_10
crypto map ****Map 10 set peer x.x.x.x
crypto map ****Map 10 set transform-set ****Set
crypto map ****Map 10 set security-association lifetime seconds 28800
crypto map ****Map 10 set security-association lifetime kilobytes 4608000
crypto map ****Map 20 match address outside1_cryptomap_20
crypto map ****Map 20 set peer x.x.x.x
crypto map ****Map 20 set transform-set ****Set
crypto map ****Map 20 set security-association lifetime seconds 28800
crypto map ****Map 20 set security-association lifetime kilobytes 4608000
crypto map ****Map 30 match address outside1_cryptomap_30_1
crypto map ****Map 30 set peer x.x.x.x
crypto map ****Map 30 set transform-set ****Set
crypto map ****Map 30 set security-association lifetime seconds 28800
crypto map ****Map 30 set security-association lifetime kilobytes 4608000
crypto map ****Map 40 match address outside1_cryptomap_40_1
crypto map ****Map 40 set peer x.x.x.x
crypto map ****Map 40 set transform-set ****Set
crypto map ****Map 40 set security-association lifetime seconds 28800
crypto map ****Map 40 set security-association lifetime kilobytes 4608000
crypto map ****Map 60 match address outside1_cryptomap_60
crypto map ****Map 60 set peer x.x.x.x
crypto map ****Map 60 set transform-set ****Set
crypto map ****Map 60 set security-association lifetime seconds 28800
crypto map ****Map 60 set security-association lifetime kilobytes 4608000
crypto map ****Map 80 match address outside1_cryptomap_80
crypto map ****Map 80 set peer x.x.x.x
crypto map ****Map 80 set transform-set ****Set
crypto map ****Map 80 set security-association lifetime seconds 28800
crypto map ****Map 80 set security-association lifetime kilobytes 4608000
crypto map ****Map 65535 ipsec-isakmp dynamic ****DynMap
crypto map ****Map interface outside1
isakmp identity address
isakmp enable outside1
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  21
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
address-pool (outside1) DefaultRSPool
authentication-server-group azdavpn
authentication-server-group (inside1) vpn
authentication-server-group (outside1) vpn
dhcp-server 172.16.10.24
dhcp-server 172.16.10.18
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group CiscoClient type ipsec-ra
tunnel-group CiscoClient general-attributes
address-pool (outside1) DefaultRSPool
address-pool DefaultRSPool
authentication-server-group ****
authentication-server-group (outside1) ****
default-group-policy CiscoClient
tunnel-group CiscoClient ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group-map enable rules
tunnel-group-map default-group DefaultL2LGroup
no vpn-addr-assign aaa
telnet 172.16.10.0 255.255.255.0 inside1
telnet timeout 1440
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside1
ssh 172.16.10.0 255.255.255.0 inside1
ssh timeout 60
console timeout 0
management-access Inside2
!
class-map outside1-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect esmtp
policy-map outside1-policy
description FTP
class outside1-class
  inspect rtsp
  inspect ftp
!
service-policy global_policy global
service-policy outside1-policy interface outside1
ntp server 204.123.2.5 source outside1
ntp server 18.26.4.105 source outside1
ntp server 209.81.9.7 source outside1
tftp-server inside1 172.16.10.13 /
smtp-server 172.16.10.19
client-update enable
Cryptochecksum:0c40ecbc8f7802eba1caf35ee7e2e091
: end

cmptreasy (IS/IT--Management)

7 Oct 11 14:01

More info..when initializing a ping from the remote 172.16.11.0 network to the 10.168.30.0 network, the following lines are logged on the ASA firewall:
Oct 07 2011 10:48:10 fw-phoenix : %ASA-7-711001: ICMP echo request from outside1:172.16.11.217 to Inside2:10.168.30.3 ID=8521 seq=176 len=56
Oct 07 2011 10:48:10 fw-phoenix : %ASA-7-711001: ICMP echo reply from Inside2:10.168.30.3 to inside1:172.16.11.217 ID=8521 seq=176 len=56

It appears that the incoming ICMP request is processed from the outside interface and sent to the inside2 interface as it should be, but the reply is being sent from the inside2 interface to the inside1 interface, which is incorrect, it should go to the outside.
How do I fix this??

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco Systems: ASA Series

Member Login

Come Join Us!

LINK TO THIS FORUM!

Tek-Tips LinkedIn® Group

Partner With Us!

Feedback

Geography

Tek-Tips Shirts!

Routing or firewall?

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Back To Forum

Join Tek-Tips® Today!

Tek-Tips LinkedIn^® Group

Join Tek-Tips^® Today!