in and out from the same interface of ASA

shibindong · ‎06-02-2008

please find the attached network setup, and we can connect the server from Internet FW, but not from Internal FW, after troubleshooting, it turned out that the traffic from Internal FW to the server will go to server directly without passing through Internet FW, when the traffic passing back from server, it will go to Internet FW first, since there is no session in the FW, the traffic being denied. in the routing table of the firewall, it shows:

"C 172.16.24.0 255.255.255.0 is directly connected, DMZ"

and I want the traffic to server show reach the Internet FW first so I add

" route dmz 172.16.24.22 255.255.255.255 172.16.24.3".

but the testing still not successful, can sB. have the solution for it?

by the way, before I added this route, the deny message is :"2 Jun 03 2008 00:29:58 106001 172.16.24.22 172.16.3.50 Inbound TCP connection denied from 172.16.24.22/443 to 172.16.3.50/1507 flags SYN ACK on interface inside"

after I added this route, I got another error msg:

2 Jun 03 2008 00:29:58 106001 172.16.24.22 172.16.3.50 Inbound TCP connection denied from 172.16.24.22/443 to 172.16.3.50/1507 flags SYN on interface inside"

dave96chi · ‎06-03-2008

Try this command:

same-security-traffic permit inter-interface

Farrukh Haroon · ‎06-03-2008

The second error (NAT related), I've already answered on your other post.

The first error can be resolved using two ways:

1) Add a static route on the server like this:

route add 172.16.3.0 mask 255.255.255.0 172.16.24.1

Preferably with the -p option to make the static route survive reboots

OR

2) Allow the necessary traffic on the inside interface access-list of the Internet_FW. You might also need to do the same on the 'outside' interface of the Intranet_FW.

Please note the second option is the preferred one.

Regards

Farrukh