ASA configuration for internal routing

Unanswered Question
Jun 11th, 2008

Hi everyone,

I've got an ASA5510 (10.0.0.1) which is the gateway for the internal network (10.0.0.0/24). In addition, I've got an additional local network (192.168.0.0/24) which I need to route my internal clients (10.0.0.0/24) to. The local gateway for the 192.168.0.0/24 network is 10.0.0.10, but my ASA device keeps dropping all connections to the 192.168.0.0 network.

I've configured the ASA with the following options:

route inside 192.168.0.0 255.255.255.0 10.0.0.10

access-list inside-access-in extended permit ip 10.0.0.0 255.255.255.0 any

access-list inside-access-in extended permit icmp 10.0.0.0 255.255.255.0 any

access-group inside-access-in in interface inside

I've also got my standard NAT commands, which I don't think are necessary to post.

My question is how can I force the ASA appliance to forward packets to the 192.168.0.0 network?

If any nat commands are required, please include them in your reply.

Many thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Where is this 192.168.0.0/24 network terminating? On the ASA itself? If so you, and you don't want to NAT traffic between the two networks, you will need a 'nat 0' statement for those networks and the appropriate ACL's for traffic between those two interfaces both inbound and outbound.

What are the security levels on each of those interfaces?

Farrukh Haroon Wed, 06/11/2008 - 05:14

You need to add the "same-security-traffic permit intra-interface" command and you need to be running at least ASA 7.2.x for this to work. Also (if you have dynamic NAT configured) or "nat-control" enabled, some NAT rules might need changing like adding the following:

global (inside) 1 interface

Have a look at:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Regards

Farrukh

JORGE RODRIGUEZ Wed, 06/11/2008 - 05:47

It seems as though Chris's ASA5510 inside network or inside interface is 10.0.0.1 based on his description, it looks as the 192.168.0.0 is routed through 10.0.0.10 by looking at the route statement which is probably an interface on a router having the network 192.168.0.0/24, if this is the case the 192.168.0.0/24 is consider an inside network, but if this is not the case and the 192.168.0.0/24 is another interface with same sec level Farrukh gave you the answer. Otherwise Chris could possibly provide ASA5510 interfaces configuration to understand a bit the topology.

Rgds

-Jorge

cpartsenidis Wed, 06/11/2008 - 07:53

Many thanks for your replies guys.

Here's the situation:

Internet-----[ASA5510]10.0.0.1----LAN---10.0.0.10[ROUTER]--192.168.0.0--

All workstations on the LAN use 10.0.0.1 as a gateway. I've also got a new network (192.168.0.0) that's accessible via 10.0.0.10.

I'd like the ASA to route to the 192.168.0.0 network via 10.0.0.10.

Even thought I've added all the necessary access lists on the inside interface of the 5510, to ensure packets are not dropped, they are still being denied.

Here's part of the configuration on the asa:

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

!

access-list inside-access-in extended permit ip 10.0.0.0 255.255.255.0 any

access-list inside-access-in extended permit icmp 10.0.0.0 255.255.255.0 any

!

!

global (outside) 1

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0

static (inside,outside) 10.0.0.76 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside-access-in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0

route inside 192.168.0.0 255.255.255.0 10.0.0.10 1

I hope that helps.

Cheers,

Amadou TOURE Wed, 06/11/2008 - 08:12

Hello,

Could you provide the inside_nat0_outbound access-list

You need to allow replies from 192.168.0.0 in inside-access-in access-list or add a inspect icmp in your defaut policy-map for icmp stateful inspection.

Do you have logs for denied packets ?

Depending if nat-control is enabled or not, you'll need to add a the network 192.168.0.0 in your inside_nat0_outbound access-list

cpartsenidis Wed, 06/11/2008 - 09:37

Farrukh ,

I'm offsite at the moment, but I think your suggested commands will fix the issue. I'll give it a try as soon as I can and update this post.

On another note, the ASA is running 7.0(7), but the command is available. Is that okay ?

Regarding the "nat (inside) 0 access-list inside_nat0_outbound", its only used for the VPN clients, so we can leave it as is.

Cheers,

Farrukh Haroon Wed, 06/11/2008 - 09:56

I'm afraid that will not be OK, the second line of the link I posted earlier reads:

"Software release 7.2 includes the capability to route clear text data in and out of the same interface. "

Before that this command was only applicable if ONE leg of the flow was encrypted (as in one side of the hair-pin).

You have to upgrade the software or redesign your network to change the user's default gateway to the router, or any other solution.

Regards

Farrukh

JORGE RODRIGUEZ Wed, 06/11/2008 - 10:19

Chris thanks for posting brief topology description this helps understand better.

I do not meant to contradict Farrukh post in any shape or form, but the topology is clear.

I do not believe same-security-traffic permit intra-interface applies in this scenario because 192.168.0.0 is not on another interface in the firewall.

Since you have a [ROUTER] connected to the inside network as 10.0.0.10 and behind that router you have 192.168.0.0/24 network, this network is considered a trusted network hanging off the inside subnet 10.0.0.0/24 by [ROUTER]-10.0.0.10.

There is no access lists required to allow 192.168.0.0/24 to talk to 10.0.0/.24 but there are some routes that need to be taking place.

On your [ROUTER] 10.0.0.10 you must have a route pointing to to 10.0.0.1 in order for 192.168.0.0/24 network to communicate to ASA5510 inside network.

i.e

ip route 10.0.0.0 255.255.255.0 10.0.0.1

if you need to have 192.168.0.0/24 use internet access through asa5510 place a default route in [ROUTER].

ip route 0.0.0.0 0.0.0.0 10.0.0.1

for the ASA5510 :

you already have a route for 192.168.0.0/24

route inside 192.168.0.0 255.255.255.0 10.0.0.10 , configure firewall to make it aware that 192.168.0.0/24 is a trusted network and coming from inside interface.

ie.

asdm location 192.168.0.0 255.255.255.0 inside

nat (inside) 1 192.168.0.0 255.255.255.0

Bst Rgds

-Jorge

Amadou TOURE Wed, 06/11/2008 - 10:28

Hi Jorge,

Keep in mind that by default with ASA, same traffic can't come in a interface and get out through the same interface.

So same-security-traffic intra-interface is relevant to authorized this in/out traffic flow through the inside interface

regards

Farrukh Haroon Wed, 06/11/2008 - 10:33

Please don't confuse the "same-security-traffic intra-interface" with the 'inter-interface' command. In this scenario 'intra-interface' will be required IF the firewall is the default gateway of end hosts. I set this up for one customer, and since he was running 7.0.x at the time, I had to place a router behind the firewall. 7.2.x was not available or too new to be deployed in production back then.

Regards

Farrukh

JORGE RODRIGUEZ Wed, 06/11/2008 - 10:42

Amadou, thanks for the post,I still disagree.

If you look at same-security-traffic intra-interface effect is when you have two physical interfaces or subinterfaces on the same firewall with same security levels and need to allow traffic between them without the use of ACLs.

This is not the case, Chris has a [ROUTER] in the inside interface subnet 10.0.0.0/24, think of the router being a PC for sake of imagination that has for IP 10.0.0.10.

Now if 192.168.0.0 was on a different interface configured in the firewall with Sec level 0 as the inside interface then same sec traffic applies.

Rgds

-Jorge

Amadou TOURE Wed, 06/11/2008 - 10:53

Hi jorge,

As Farrukh said, there're two different commands :

same-security-traffic permit inter-interface introduced in release 7.0(1) available when you have two different interfaces and same-security-traffic permit intra-interface introduced in release 7.2(1) which is applicable if you're using the same interface for in/out traffic

Please refer to the ASA command reference software version 7.2

Best regards

JORGE RODRIGUEZ Wed, 06/11/2008 - 11:23

I do appologize , same-secuirty-traffic permit inter-interface allows traffic between different interfaces that have same sec level, and intra-interface in/out traffic.

None of the two applies in Chris's scenario, I have simulated Chris's topology in our production LAB, One 3550 L3 switch two VLANs one for 192.168.0.1 and 10.0.0.10 for another VLAN, One ASA5505 inside interface as 10.0.0.1.

Simple routing between the two devices without any intra or inter commands, routing between the two network by static routes, PAT 192.168.0.0/24 and works as expected.

Even gave it public IP address of 63.107.220.60 for RDP mapped to a test server 192.168.0.100 on L3 3550 switch and works great.

BTW, don't care whoever rdps to pub IP this is isolated production LAB, and yes, I get all the cisco toys I ask for.

-Rgds

Jorge

srue Wed, 06/11/2008 - 11:37

as others have stated, the OP needs to upgrade to 7.2(x) or later.

cpartsenidis Wed, 06/11/2008 - 14:13

The response to this thread has been great and I really appreciate the effort and time spent by everyone.

From what I conclude Jorge, according to your test, the scenario should work 'as is' without the need of additional commands.

However, Farrukh supports that the 'intra-interface' command for my situation is required.

Unfortunately, I haven't got access to the equipment right now so I can try it, but I do remember the scenario didn't work using the configuration I posted. If I remember correctly, the syslog messages mentioned my packets heading from the internal lan 10.0.0.0 towards the 192.168.0.0 network, were denied by the inside-access-in list:

access-list inside-access-in extended permit ip 10.0.0.0 255.255.255.0 any

access-list inside-access-in extended permit icmp 10.0.0.0 255.255.255.0 any

access-group inside-access-in in interface inside

All I was doing is trying to access a network share on a computer in the 192.168.0.0 network.

Closing, quoting Farrukh's recommendation:

'please don't confuse the "same-security-traffic intra-interface" with the 'inter-interface' command. In this scenario 'intra-interface' will be required IF the firewall is the default gateway of end hosts' , Yes, all internal 10.0.0.0 hosts do in fact have the ASA (10.0.0.1) as their gateway.

I sometimes fail to see why such 'simple' routing requirements can sometimes become a big headache :)

Cheers guys,

Actions

This Discussion