Hello All!
I'm facing some error for a long time on that device, i cannot solve.
I have 2 interfaces:
!
interface Vlan20
description Ch.Net
nameif CH
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan172
description Web.Net
nameif WEB
security-level 100
ip address 10.10.20.2 255.255.255.0
!
Configured permit:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Configured nat to outside:
object network chnet
nat (CH,WAN) dynamic interface
object network web.net
nat (WEB,WAN) dynamic interface dns
Some ACLs to DST-NAT to interface WAN, they work.
Having only one access-group:
access-group WAN-IN in interface WAN
What is not working is communication between Vlan20 and Vlan172 by implicit rule.
packet-tracer input WEB tcp 192.168.20.200 http 10.10.20.2 $
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.10.20.2 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb603d68, priority=1, domain=nat-per-session, deny=true
hits=47691, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb8c9648, priority=0, domain=permit, deny=true
hits=4, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=WEB, output_ifc=any
Result:
input-interface: WEB
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
And i cant understand why, i tried to configure access-lists to allow traffic several and different ways.
Still, i have same security - 100, i permitted same-security traffic both ways, but cant get it to work.
Previosly i had 8.2 firmware which was OK and worked, but now its 5505 with 9.24-33 configured from scratch.
BTW: I searched discussions here, and could find exact my situation, but still tryied some configures to fix it, nothing helped.
Could you help me?
Thank you in advance!