cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7059
Views
5
Helpful
16
Replies

Static route on inside interface of ASA does'nt work

asirajahmed28
Level 1
Level 1

I have three Subnets connected through a router in my LAN (Inside interface)

route Outside 0.0.0.0 0.0.0.0 1x.1az.az.161 1

route Inside 192.168.2.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.16.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.55.0 255.255.255.0 192.168.0.254 1

I can reach to the IP's 192.168.2.0/24 and the other two subnets from the ASA

But not through the PC on my LAN tried with ACL etc.

Am I missing something here ?

1 Accepted Solution

Accepted Solutions

Hi, you have 2 ways to resolve this.ASA/PIX not supporting "redirect traffic" also called "hairpining" for unencrypted traffic before v7.2, it's a security feature. After v7.2, you can do this by nat + "same-security-traffic permit intra-interface".

1. the "correct" way,It should let your router/layer3 switch handle internal routing unless you need control traffic among those subnets, and firewall just do access control/vpn.

a.You can setup all internal PCs default gateway point to 192.168.0.254

b. setup router's default route pointing to inside interface of firewall, router will do routing/redirect job

c. remove those 3 static route

2. the "feasible" way

a. make sure you have v7.2 or later

b. same-security-traffic permit intra-interface

c. configure proper nat, in your case, try this code:

access-list inside_outbound_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.16.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0

if you have exiting nat exemption statement, just merge them. In this way, you can even put ACL between 192.168.0.0 and the other 3 subnets.These code not been verified,test it after hours.

Pleas rate if it helps.

View solution in original post

16 Replies 16

srue
Level 7
Level 7

is the following command entered:

same-security-traffic permit intra-interface

Added but no luck? Any other commands ?

mifw# sh run | in route

route Outside 0.0.0.0 0.0.0.0 1a.1xx.3b.1x1 1

route Inside 192.168.2.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.16.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.55.0 255.255.255.0 192.168.0.254 1

route Inside 208.134.161.0 255.255.255.0 192.168.0.67 1

mifw# sh run | in same

same-security-traffic permit intra-interface

mifw# ping inside 192.168.16.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/50 ms

mifw# ping inside 192.168.55.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 30/34/40 ms

mifw#

Same ping fails from the PC on this LAN

I would be very interested in this as well, I have the same problem.

can you connect to other network services from a PC to those subnets. ie, have you tested anything besides ping/icmp?

Yes we had a Watchguard firewall and it used to work fine with that both ping and our application, now with ASA it does'nt work. However if I add a static route on the PC like

route add 192.168.55.0 MASK 255.255.255.0 192.168.0.254

route add 192.168.2.0 MASK 255.255.255.0 192.168.0.254

route add 192.168.16.0 MASK 255.255.255.0 192.168.0.254

It works for that PC but again this is not the correct way.

unless you're doing some weird NAT things on the firewall, causing ARP issues, I'm not sure what it could be.

you could further subnet your lan that is directly behind the firewall. then add a subinterface to one of the routers, so that would be your LAN's default gateway. On another subinterface, put that on the same LAN as the firewall inside interface, on the that router, put a default route statement in pointing to the firewall.

Normally you would do all that with a layer 3 switch, but it doesn't sound like you have one of those.

Strange is it true PIX/ASA cannot redirect packet comming and leaving same interface ? Thats what I came to know from a colleage, Other firewalls do that, is there a way to make it happen using NAT policy/NAT rule etc.

I don't think it is feasible for us to make a sub interface on the PIX that will cause us to move the internal router to a different subnet. Any other suggestions ?

same-security-traffic permit intra-interface

that command allows traffic to enter and leave the same interface.

Hi, you have 2 ways to resolve this.ASA/PIX not supporting "redirect traffic" also called "hairpining" for unencrypted traffic before v7.2, it's a security feature. After v7.2, you can do this by nat + "same-security-traffic permit intra-interface".

1. the "correct" way,It should let your router/layer3 switch handle internal routing unless you need control traffic among those subnets, and firewall just do access control/vpn.

a.You can setup all internal PCs default gateway point to 192.168.0.254

b. setup router's default route pointing to inside interface of firewall, router will do routing/redirect job

c. remove those 3 static route

2. the "feasible" way

a. make sure you have v7.2 or later

b. same-security-traffic permit intra-interface

c. configure proper nat, in your case, try this code:

access-list inside_outbound_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.16.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0

if you have exiting nat exemption statement, just merge them. In this way, you can even put ACL between 192.168.0.0 and the other 3 subnets.These code not been verified,test it after hours.

Pleas rate if it helps.

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0

Just adding the above nat rules helped thanks a lot, I'll be testing with the user application, thanks for your help

Only icmp works I get following in the syslog for RDP and other applications

Jan 29 2008 11:46:13: %ASA-6-302013: Built inbound TCP connection 2692400 for Inside:192.168.0.77/4442 (192.168.0.77/4442) to Inside:192.168.16.74/3389 (192.168.16.74/3389)

Jan 29 2008 11:46:13: %ASA-6-302014: Teardown TCP connection 2692414 for Inside:192.168.0.75/2923 to Inside:192.168.16.65/135 duration 0:00:00 bytes 0 TCP Reset-O

Jan 29 2008 11:46:25: %ASA-6-302013: Built inbound TCP connection 2692487 for Inside:192.168.0.77/4443 (192.168.0.77/4443) to Inside:192.168.16.74/3389 (192.168.16.74/3389)

Jan 29 2008 11:46:25: %ASA-6-302014: Teardown TCP connection 2692487 for Inside:192.168.0.77/4443 to Inside:192.168.16.74/3389 duration 0:00:00 bytes 0 TCP Reset-O

Hi pengfang if you can help me with VPN can you address this "I was able to integrate NT Domain authentication for the VPN clients, however I need to know if I can restrict this Authentication to a particular User group in the NT. All other users should not be allowed to VPN in" This posting is in the VPN section. Thanks in advance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: