11-19-2007 04:09 AM - edited 03-11-2019 04:32 AM
Hello.
My default gateway is an ASA5505 and I need to route a network trought a router connected on the same interface of the source client.
So the traffic have to enter and exit by the same interface, to do that I use the same-security-traffic permit intra-interface command, but it works only with icmp traffic.
Why? What I have to do to permit all traffic?
My test configuration is the following:
ASA Version 7.2(3)
!
hostname ciscoasa
enable password xxx
names
!
interface Vlan1
nameif INSIDE
security-level 100
ip address 172.20.4.31 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd xxx
ftp mode passive
same-security-traffic permit intra-interface
access-list ACL-INSIDE-IN extended permit ip any any
access-list ACL-INSIDE-OUT extended permit ip any any
pager lines 24
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
access-group ACL-INSIDE-IN in interface INSIDE
access-group ACL-INSIDE-OUT out interface INSIDE
route INSIDE 10.132.1.0 255.255.255.0 172.20.4.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp INSIDE
telnet 172.20.4.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
management-access INSIDE
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
username test password xxx encrypted privilege 15
Thanks
Solved! Go to Solution.
11-21-2007 05:52 AM
to me it sound like the return traffic is not going the same way back.
client -> fw -> router -> destination
return traffic:
destination -> router -> client
so the state table of the connection might be broken. and icmp is working because its stateless.
just a guess - had a similar routing issue with two asa boxes in parallel setup (no HA).
11-21-2007 05:52 AM
to me it sound like the return traffic is not going the same way back.
client -> fw -> router -> destination
return traffic:
destination -> router -> client
so the state table of the connection might be broken. and icmp is working because its stateless.
just a guess - had a similar routing issue with two asa boxes in parallel setup (no HA).
11-21-2007 06:21 AM
Hello
Thank you very much for your answer.
I like your idea, but it raise a dubt in me.
I think, why does everything work fine, if I replace the ASA with a router?
Any idea?
Thank you again.
11-21-2007 06:30 AM
I would agree with the previous poster. The router that you replace the ASA with would not be keeping a state table to break, just happily route away. The ASA however, on not seeing a SYNACK return through it for the SYN it has already seen, will deny the TCP connection.
11-21-2007 07:50 AM
kagodfrey is right, there is no state table on an (ip base) router - maybe you would have the same issue with an fw ios on the router.
maybe you can reconfigure your routing: default gateway for all clients is the internal router, the internal router uses the asa as the default gw...
hope that helps,
regards,
juergen
11-22-2007 02:28 AM
Yes it's right, I verified it monitoring the ASA interface with a protocol analyzer, frames from the PC get to the ASA and then from the ASA go to the router but nothing come back trought the ASA.
We can solve the problem working on the router, adding a static route that routes the router's local network trought the ASA.
That works but I don't think it's a good thing.
Thank you to all
11-22-2007 06:58 AM
"We can solve the problem working on the router, adding a static route that routes the router's local network trought the ASA."#
wont work - that network is locally connected and so it already has a route to it - if you add a static route this one wont make it into the routing table because static routes have an administrative distance of 1 while locally connected network routes have an AD of 0.
changing the default gateway on all hosts is imho the best solution and your more flexible with a router as default gateway.
of course it can be a lot of work :-(
regards,
Juergen
11-22-2007 07:40 AM
Yes, you are right.
In fact, I tried adding a static route only for my testing host, so the added route is a strictly match and it works, but you can't do the same with the entire network.
Regards
11-26-2007 08:33 PM
Please confirm the network you are routing to.
You should be able to route a network from the firewall to the router both on the internal (inside) interface of the ASA.
Looking at the config the network in question is 10.132.10/24. Is this correct.
If so kindly show the router config (4.30)
Tim
11-27-2007 12:58 AM
Yes the network is correct.
We are talking about a test enviroment, so the router has 2 ethernet interfaces configured respectively 172.20.4.30 and 10.132.1.30 and nothing else.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide