Not able to access different networks traffic on same interface

Unanswered Question
Apr 21st, 2008

I am having problems connecting to different networks which are connected on the same interface.

Port 0/0 - Internet

Port 0/1 - Connected to LAN (member of vlan 1)

Port 0/2 - Connected to Branch Router(member of vlan 1)

Vlan 1 - 192.168.0.1

Branch Router IP address - 192.168.0.4


whenever I want to connected to remote location I have to add manually route on the machine to reach the remote network with 192.168.0.4


Did anyone faced similar issue?

If yes please let me how this can be resolved.

Surprising part is that I am able to ping the remote branch but not able to access any applications/resources.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pankajppawar Tue, 04/22/2008 - 00:30

Attached is the n/w diagram for better clarity

As you can see, the gateway of the machine is 192.168.0.1 and to reach the 192.0.0.0/16, I have to add route in each machine pointing to 192.168.0.4.



Attachment: 
husycisco Tue, 04/22/2008 - 02:14

Hi Pankaj,

Assuming that 192.168.0.1 is a Cisco router, add the following command in 192.168.0.1


ip route 192.0.0.0 255.255.0.0 192.168.0.4


Regards

husycisco Tue, 04/22/2008 - 03:05

1)Please run the following command in a computer which has the gateway IP of 192.168.0.1, and paste here the result


tracert 192.0.5.5


2)Please run the following command in ASA and paste the results here


packet-tracer input inside tcp 192.168.0.5 3389 192.0.5.5 3389 detailed


and


sh route

wasiimcisco Tue, 04/22/2008 - 04:10

I am assuming that router, firewall and host computer are connected in a share media switch or hub.


U have two ways to achieve your goal, one is add the layer 3 switch and define routes in it, one default route that points towards Firewall 192.168.0.1 that route takes the client to internet and one static route 192.168.0 0 255.255.0.0 which points towards the router interface 192.168.0.4.


If u dont have switch with routing capabilities manually add the route in host computer one default route and on static route that points towards 192.168.0.4.


Please rate if this is helpful

pankajppawar Tue, 04/22/2008 - 20:32

Hi,


I had thought of this earlier.

But somehow I dont find doing this comfortable.

Doing this would mean that ASA is not supporting

"same-security-traffic permit intra-interface" command.

michelcaissie Wed, 04/23/2008 - 09:58

Here, we must understand that the routing capabilities of a ASA is limited compared to a router. Initially a PIX would not allowed a packet to leave an interface on the same

interface that they came in. This was improved by adding the "same-security-traffic permit intra-interface" command, wich i assume you are using. But this does not resolve everything,

because the ASA does not reroute the packet the way a router would , it creates a connection the same way it would if the packet leave the outside interface.Your problem is that

the returning packet doesn't get back to the ASA.


Let see with an example;



192.168.0.100 makes a tcp connection on 192.0.0.100. The SYN hits the ASA wich opens a connection , then route the packet to the MPLS router at 192.168.0.4.

But the returning SYN packet goes directly to the PC 192.168.0.100 because it is Directly Connected to the router. Then the PC sends the ACK to the ASA ( the default gateway)

but it is refused because the ASA never saw the returning SYN . So your TCP connection dies here.




One solution could be to create a sub-interface on the inside interface, configure it on a /22 subnet , put the MPLS router in this subnet and create a static route in the MPLS router for your

inside network. This way it would force all returning traffic to go through the ASA.

Actions

This Discussion