Need help with static routes on 5510 - not all traffic passes

robinwenham · ‎06-26-2008

Hi,here's the scenario

I have a 5510 as the default gateway for the network, on 172.89.31.1/23

There is another 5510 on the network on 172.89.31.2, this is the gateway for another network 172.89.82.0/23.

There is one host behind the second 5510 at 172.89.83.202.

There is a route in the first 5510 to route traffic to the 172.89.82.0 network to 172.89.31.2. This works (eventually - after doing some stuff with the NAT between the two networks) and I can ping between the hosts 172.89.31.19 and 172.89.83.202 so I know that there is a traffic path. However VNC traffic will not pass - and I get Reset-O in the log.

However, if I put a static route into the client on .19 to route via 172.89.31.2 then the VNC will connect.

I conclude therefore that there are issues with the gateway 5510 on 172.89.31.1 where a rule (or rules) are stopping the traffic passing (even though it should be going into and out of the same interface).

The rules are:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Webmail tcp

port-object eq 32000

object-group network ROP

network-object 172.89.48.0 255.255.254.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

object-group service VNC tcp

port-object eq 5900

access-list IPSecVPN_splitTunnelAcl standard permit 172.89.30.0 255.255.254.0

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside object-group Webmail

access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any log debugging inactive

access-list inside_nat0_outbound extended permit ip 172.89.30.0 255.255.254.0 172.89.30.240 255.255.255.240

access-list nonat extended permit ip 172.89.30.0 255.255.254.0 172.89.30.240 255.255.255.240

access-list nonat extended permit ip 172.89.30.0 255.255.254.0 172.89.48.0 255.255.254.0

access-list inside_nat0_outbound_1 extended permit ip 172.89.30.0 255.255.254.0 172.89.30.240 255.255.255.240

access-list inside_nat0_outbound_2 extended permit ip 172.89.30.0 255.255.254.0 172.89.82.0 255.255.254.0

access-list inside_nat0_outbound_2 extended permit ip 172.89.30.0 255.255.254.0 host 172.89.48.23

access-list inside_access_out extended permit tcp any any object-group VNC

nat-control

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 0 access-list inside_nat0_outbound_2 outside

nat (inside) 10 172.89.30.0 255.255.254.0

static (inside,outside) tcp interface smtp 172.89.31.14 smtp netmask 255.255.255.255

static (inside,outside) tcp interface 32000 172.89.31.14 32000 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 xxx.46.169.22 10

route inside 172.89.48.23 255.255.255.255 172.89.30.2 1

route inside 172.89.82.0 255.255.254.0 172.89.31.2 1

This 5510 (the gateway one) is also acting as an internet gateway and is working fine in that respect. It is just this problem with traffic routed back into the LAN.

Can anyone see where I need to make any changes?

thanks

robinwenham · ‎06-27-2008

Apparently the 5510 (or PIX) can't do this kind of internal LAN routing, so we will put a router on the network.

Strange however, would have thought this was a core requirement.

a.alekseev · ‎06-27-2008

access-list inside_nat0_outbound extended permit ip 172.89.30.0 255.255.254.0 172.89.30.240 255.255.255.240

access-list inside_nat0_outbound extended permit ip 172.89.30.240 255.255.255.240 172.89.30.0 255.255.254.0