Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
0
Helpful
0
Replies

Troubles with 5505 9.24-33 intervlan routing

Evgeny Kovalev
Level 1
Level 1

‎04-24-2020 07:43 AM - edited ‎04-24-2020 07:45 AM

Hello All! 

I'm facing some error for a long time on that device, i cannot solve. 

 

I have 2 interfaces: 

!
interface Vlan20
 description Ch.Net
 nameif CH
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan172
 description Web.Net
 nameif WEB
 security-level 100
 ip address 10.10.20.2 255.255.255.0
!

Configured permit: 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Configured nat to outside: 

object network chnet
 nat (CH,WAN) dynamic interface
object network web.net
 nat (WEB,WAN) dynamic interface dns

Some ACLs to DST-NAT to interface WAN, they work.

Having only one access-group: 

access-group WAN-IN in interface WAN

What is not working is communication between Vlan20 and Vlan172 by implicit rule. 

packet-tracer input WEB tcp 192.168.20.200 http 10.10.20.2 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   10.10.20.2      255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb603d68, priority=1, domain=nat-per-session, deny=true
        hits=47691, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb8c9648, priority=0, domain=permit, deny=true
        hits=4, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=WEB, output_ifc=any

Result:
input-interface: WEB
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

And i cant understand why, i tried to configure access-lists to allow traffic several and different ways. 

Still, i have same security - 100, i permitted same-security traffic both ways, but cant get it to work. 

 

Previosly i had 8.2 firmware which was OK and worked, but now its 5505 with 9.24-33 configured from scratch. 

 

BTW: I searched discussions here, and could find exact my situation, but still tryied some configures to fix it, nothing helped. 

 

Could you help me? 

 

Thank you in advance! 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card