No announcement yet.

Internal subnets can ping each other, but can't browse.

  • Filter
  • Time
  • Show
Clear All
new posts

  • Internal subnets can ping each other, but can't browse.

    I just installed a new ASA 5505 for an office with three internal subnets.* The three networks can each get online fine and ping eachother, but cannot browse to shares on the two internal networks other than their own.* How do I configure the ASA to allow all traffic between these three inside networks?
    Here is the running config:
    show run
    : Saved
    ASA Version 8.4(1)
    hostname ASA
    domain-name NETWORK.LOCAL
    enable password 9FKvgw.UCVrfUD5M encrypted
    passwd 9FKvvDw.UCVrUdDM encrypted
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns server-group DefaultDNS
    domain-name NETWORK.LOCAL
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    object network Net1
    object network Net2
    object network Net3
    object network FD
    access-list global_access extended permit ip object Net1 any
    access-list global_access extended permit ip object Net2 any
    access-list global_access extended permit ip object Net3 any
    access-list global_access extended permit icmp interface inside any
    access-list outside_access_in extended permit gre any any
    access-list outside_access_in extended permit icmp any any echo-reply
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-641.bin
    no asdm history enable
    arp timeout 14400
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    access-group global_access global
    route outside 1
    route inside 1
    route inside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet inside
    telnet outside
    telnet timeout 30
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address inside
    dhcpd dns interface inside
    dhcpd wins interface inside
    dhcpd domain NETWORK.LOCAL interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username admin npassword qiyTRCDITAjP3aZE encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    * message-length maximum client auto
    * message-length maximum 512
    policy-map global_policy
    class inspection_default
    * inspect dns preset_dns_map
    * inspect ftp
    * inspect h323 h225
    * inspect h323 ras
    * inspect rsh
    * inspect rtsp
    * inspect esmtp
    * inspect sqlnet
    * inspect skinny
    * inspect sunrpc
    * inspect xdmcp
    * inspect sip
    * inspect netbios
    * inspect tftp
    * inspect ip-options
    service-policy global_policy global
    prompt hostname context
    profile CiscoTAC-1
    * no active
    * destination address http
    * destination address email
    * destination transport-method http
    * subscribe-to-alert-group diagnostic
    * subscribe-to-alert-group environment
    * subscribe-to-alert-group inventory periodic monthly
    * subscribe-to-alert-group configuration periodic monthly
    * subscribe-to-alert-group telemetry periodic daily
    : end

  • #2
    Re: Internal subnets can ping each other, but can't browse.

    Just to clarify:

    The main network (152.0) is connected to the Internet via the providers router (152.2). The other two networks (153.0 & 154.0) connect through the ASA to the Internet. Therefore I have routes (or thought I did) for the other two networks to connect through the gateway for Internet access.

    The Asa is the only device doing the routing for the internal network, and there are no layer 2 or 3 switches. no internal vlans, etc. They are however using a mpls network from the provider. Two networks (153.0 & 154.0) come in through one LAN port on the Asa.

    I simply want all the internal subnets to be able to communicate with each other, unrestricted.


    • #3
      Re: Internal subnets can ping each other, but can't browse.

      it looks like your access rules are only permitting traffic of types IP and ICMP.

      You'll need to amend your rules and add rules that allow the appropriate sort of traffic between the networks.

      Exactly what, I'm not sure.. hopefully this helps you a bit:
      Please do show your appreciation to those who assist you by leaving Rep Point


      • #4
        Re: Internal subnets can ping each other, but can't browse.

        Problem solved! I researched the Firewall log showing the connection being denied, and found some others having an issue with asymmetric traffic. Here's the fix:

        Cisco Document ID: 111986


        • #5
          Re: Internal subnets can ping each other, but can't browse.

          nice work mate, cheers for letting us know the solution !
          Please do show your appreciation to those who assist you by leaving Rep Point