Forward packet on same subnet

Unanswered Question
Mar 3rd, 2008
User Badges:

In order to accomodate a misbehaving application which ignores the routing table on the host and forwards all packets to the default route, I have a need to allow our 2811 router to accept packets from this system and forward them on the same subnet to our ASA 5510 firewall.


Debugs on the 2811 Router show packets received from this host destined for the firewall dropped with an "access denied" message.


I know that Pix firewalls will not forward packets on the same interface, but I seem to recall having no issues with doing this on IOS routers in the past.


I have tried to allow the router to send back ICMP redirects by enabling "ip redirect" on the interface, while this works it is extremely slow for the host machine causing other problems.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Jon Marshall Mon, 03/03/2008 - 12:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You should be able to redirect packets out of the same interface on a router so could you post the config of the 2811.


Jon

Richard Burts Mon, 03/03/2008 - 13:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jon (K)


I agree with Jon (M) that having your router forward packets back out the same interface that were received on should be no issue for the router. Your post talks about access denied and that sounds very much like that there was an access list on the interface. So seeing the router config would be very helpful. It might also be nice if you would post examples of the error message that you are seeing.


HTH


Rick

J.Kneebone Mon, 03/03/2008 - 13:08
User Badges:

I had an access list on the outbound inteface that was intended to block traffic from the inside.


It just occurred to me that it would also apply to traffic being bounced off the interface from the outside as well.


Thanks for helping me get back on the right thought train...

Richard Burts Mon, 03/03/2008 - 13:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jon


Glad that we were able to help.


HTH


Rick

Paolo Bevilacqua Mon, 03/03/2008 - 14:35
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Really the rating should have higher for the post above that is 100% correct and generous in willing to help by asking for configuration, so I've tried to balance things a bit with my '5'.

Jon Marshall Mon, 03/03/2008 - 14:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Paolo


Many thanks for taking the time to read and rate. Hope to return the favour sometime :)


Jon

Actions

This Discussion