06-26-2008 08:24 AM - edited 03-11-2019 06:05 AM
Hi,here's the scenario
I have a 5510 as the default gateway for the network, on 172.89.31.1/23
There is another 5510 on the network on 172.89.31.2, this is the gateway for another network 172.89.82.0/23.
There is one host behind the second 5510 at 172.89.83.202.
There is a route in the first 5510 to route traffic to the 172.89.82.0 network to 172.89.31.2. This works (eventually - after doing some stuff with the NAT between the two networks) and I can ping between the hosts 172.89.31.19 and 172.89.83.202 so I know that there is a traffic path. However VNC traffic will not pass - and I get Reset-O in the log.
However, if I put a static route into the client on .19 to route via 172.89.31.2 then the VNC will connect.
I conclude therefore that there are issues with the gateway 5510 on 172.89.31.1 where a rule (or rules) are stopping the traffic passing (even though it should be going into and out of the same interface).
The rules are:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Webmail tcp
port-object eq 32000
object-group network ROP
network-object 172.89.48.0 255.255.254.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group service VNC tcp
port-object eq 5900
access-list IPSecVPN_splitTunnelAcl standard permit 172.89.30.0 255.255.254.0
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside object-group Webmail
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any log debugging inactive
access-list inside_nat0_outbound extended permit ip 172.89.30.0 255.255.254.0 172.89.30.240 255.255.255.240
access-list nonat extended permit ip 172.89.30.0 255.255.254.0 172.89.30.240 255.255.255.240
access-list nonat extended permit ip 172.89.30.0 255.255.254.0 172.89.48.0 255.255.254.0
access-list inside_nat0_outbound_1 extended permit ip 172.89.30.0 255.255.254.0 172.89.30.240 255.255.255.240
access-list inside_nat0_outbound_2 extended permit ip 172.89.30.0 255.255.254.0 172.89.82.0 255.255.254.0
access-list inside_nat0_outbound_2 extended permit ip 172.89.30.0 255.255.254.0 host 172.89.48.23
access-list inside_access_out extended permit tcp any any object-group VNC
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 0 access-list inside_nat0_outbound_2 outside
nat (inside) 10 172.89.30.0 255.255.254.0
static (inside,outside) tcp interface smtp 172.89.31.14 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 32000 172.89.31.14 32000 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 xxx.46.169.22 10
route inside 172.89.48.23 255.255.255.255 172.89.30.2 1
route inside 172.89.82.0 255.255.254.0 172.89.31.2 1
This 5510 (the gateway one) is also acting as an internet gateway and is working fine in that respect. It is just this problem with traffic routed back into the LAN.
Can anyone see where I need to make any changes?
thanks
06-27-2008 12:21 AM
Apparently the 5510 (or PIX) can't do this kind of internal LAN routing, so we will put a router on the network.
Strange however, would have thought this was a core requirement.
06-27-2008 02:16 AM
access-list inside_nat0_outbound extended permit ip 172.89.30.0 255.255.254.0 172.89.30.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.89.30.240 255.255.255.240 172.89.30.0 255.255.254.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide