01-24-2008 02:58 PM - edited 03-11-2019 04:53 AM
I have three Subnets connected through a router in my LAN (Inside interface)
route Outside 0.0.0.0 0.0.0.0 1x.1az.az.161 1
route Inside 192.168.2.0 255.255.255.0 192.168.0.254 1
route Inside 192.168.16.0 255.255.255.0 192.168.0.254 1
route Inside 192.168.55.0 255.255.255.0 192.168.0.254 1
I can reach to the IP's 192.168.2.0/24 and the other two subnets from the ASA
But not through the PC on my LAN tried with ACL etc.
Am I missing something here ?
Solved! Go to Solution.
01-26-2008 11:40 AM
Hi, you have 2 ways to resolve this.ASA/PIX not supporting "redirect traffic" also called "hairpining" for unencrypted traffic before v7.2, it's a security feature. After v7.2, you can do this by nat + "same-security-traffic permit intra-interface".
1. the "correct" way,It should let your router/layer3 switch handle internal routing unless you need control traffic among those subnets, and firewall just do access control/vpn.
a.You can setup all internal PCs default gateway point to 192.168.0.254
b. setup router's default route pointing to inside interface of firewall, router will do routing/redirect job
c. remove those 3 static route
2. the "feasible" way
a. make sure you have v7.2 or later
b. same-security-traffic permit intra-interface
c. configure proper nat, in your case, try this code:
access-list inside_outbound_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.16.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0
if you have exiting nat exemption statement, just merge them. In this way, you can even put ACL between 192.168.0.0 and the other 3 subnets.These code not been verified,test it after hours.
Pleas rate if it helps.
01-24-2008 04:05 PM
is the following command entered:
same-security-traffic permit intra-interface
01-24-2008 04:49 PM
Added but no luck? Any other commands ?
01-24-2008 04:59 PM
mifw# sh run | in route
route Outside 0.0.0.0 0.0.0.0 1a.1xx.3b.1x1 1
route Inside 192.168.2.0 255.255.255.0 192.168.0.254 1
route Inside 192.168.16.0 255.255.255.0 192.168.0.254 1
route Inside 192.168.55.0 255.255.255.0 192.168.0.254 1
route Inside 208.134.161.0 255.255.255.0 192.168.0.67 1
mifw# sh run | in same
same-security-traffic permit intra-interface
mifw# ping inside 192.168.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/50 ms
mifw# ping inside 192.168.55.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/34/40 ms
mifw#
Same ping fails from the PC on this LAN
01-24-2008 05:20 PM
I would be very interested in this as well, I have the same problem.
01-24-2008 06:35 PM
can you connect to other network services from a PC to those subnets. ie, have you tested anything besides ping/icmp?
01-25-2008 01:10 PM
Yes we had a Watchguard firewall and it used to work fine with that both ping and our application, now with ASA it does'nt work. However if I add a static route on the PC like
route add 192.168.55.0 MASK 255.255.255.0 192.168.0.254
route add 192.168.2.0 MASK 255.255.255.0 192.168.0.254
route add 192.168.16.0 MASK 255.255.255.0 192.168.0.254
It works for that PC but again this is not the correct way.
01-25-2008 01:55 PM
unless you're doing some weird NAT things on the firewall, causing ARP issues, I'm not sure what it could be.
you could further subnet your lan that is directly behind the firewall. then add a subinterface to one of the routers, so that would be your LAN's default gateway. On another subinterface, put that on the same LAN as the firewall inside interface, on the that router, put a default route statement in pointing to the firewall.
Normally you would do all that with a layer 3 switch, but it doesn't sound like you have one of those.
01-25-2008 05:21 PM
Strange is it true PIX/ASA cannot redirect packet comming and leaving same interface ? Thats what I came to know from a colleage, Other firewalls do that, is there a way to make it happen using NAT policy/NAT rule etc.
I don't think it is feasible for us to make a sub interface on the PIX that will cause us to move the internal router to a different subnet. Any other suggestions ?
01-26-2008 09:37 AM
same-security-traffic permit intra-interface
that command allows traffic to enter and leave the same interface.
01-26-2008 11:40 AM
Hi, you have 2 ways to resolve this.ASA/PIX not supporting "redirect traffic" also called "hairpining" for unencrypted traffic before v7.2, it's a security feature. After v7.2, you can do this by nat + "same-security-traffic permit intra-interface".
1. the "correct" way,It should let your router/layer3 switch handle internal routing unless you need control traffic among those subnets, and firewall just do access control/vpn.
a.You can setup all internal PCs default gateway point to 192.168.0.254
b. setup router's default route pointing to inside interface of firewall, router will do routing/redirect job
c. remove those 3 static route
2. the "feasible" way
a. make sure you have v7.2 or later
b. same-security-traffic permit intra-interface
c. configure proper nat, in your case, try this code:
access-list inside_outbound_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.16.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0
if you have exiting nat exemption statement, just merge them. In this way, you can even put ACL between 192.168.0.0 and the other 3 subnets.These code not been verified,test it after hours.
Pleas rate if it helps.
01-27-2008 11:31 PM
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0
Just adding the above nat rules helped thanks a lot, I'll be testing with the user application, thanks for your help
01-29-2008 05:14 PM
Only icmp works I get following in the syslog for RDP and other applications
Jan 29 2008 11:46:13: %ASA-6-302013: Built inbound TCP connection 2692400 for Inside:192.168.0.77/4442 (192.168.0.77/4442) to Inside:192.168.16.74/3389 (192.168.16.74/3389)
Jan 29 2008 11:46:13: %ASA-6-302014: Teardown TCP connection 2692414 for Inside:192.168.0.75/2923 to Inside:192.168.16.65/135 duration 0:00:00 bytes 0 TCP Reset-O
Jan 29 2008 11:46:25: %ASA-6-302013: Built inbound TCP connection 2692487 for Inside:192.168.0.77/4443 (192.168.0.77/4443) to Inside:192.168.16.74/3389 (192.168.16.74/3389)
Jan 29 2008 11:46:25: %ASA-6-302014: Teardown TCP connection 2692487 for Inside:192.168.0.77/4443 to Inside:192.168.16.74/3389 duration 0:00:00 bytes 0 TCP Reset-O
01-28-2008 12:00 AM
Hi pengfang if you can help me with VPN can you address this "I was able to integrate NT Domain authentication for the VPN clients, however I need to know if I can restrict this Authentication to a particular User group in the NT. All other users should not be allowed to VPN in" This posting is in the VPN section. Thanks in advance.
01-29-2008 10:24 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide