cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2124
Views
0
Helpful
6
Replies

ASA5505 -- inside interface routing

swb
Level 1
Level 1

I have two networks behind my ASA 5505 inside interface -- 192.168.1.0/24 is directly connected, but 192.168.200.0/24 is connected via router. I added a route to 192.168.200.0/24 in the ASA, and I can browse web sites and initiate PPTP sessions to an internet-connected PPTP server.

But if I try to get from 192.168.200.0/24 to 192.168.1.0/24, my outbound packets get to 192.168.1.0/24 (I did a packet capture), but my replies from 192.168.1.0/24 to 192.168.200.0/24 never get there and the ASA logs "regular translation creation failed for icmp src inside:192.168.1.x dst inside:192.168.200.1".

I've tried a NAT exemption, but all that does is change the error to "no translation group found".

Is there any way to allow the ASA to route packets off its internal interface without translation?

6 Replies 6

Add the command 'same-security-traffic permit intra-interface' to route traffic in and out of the same interface.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

HTH

Sundar

I already have that command enabled.

jeff_groesbeck
Level 1
Level 1

Hello. This sounds like a common problem that I see. It sounds like the router you are mentioning has an interface on the 192.168.1.0/24 network, correct? Also, you have a route in the ASA to the 192.168.200.0/24 network through the IP address of the router that is on the 192.168.1.0/24 network. It sounds like the traffic from the 200.x net is getting to the router, the router has a directly connected interface to 1.x and sends the traffic out on the wire. The 1.x host then tries to respond, but doesn't have it's own route to the 200.x net so it send it to its default gateway (the ASA on the 1.x) net. The problem is, the ASA will not support ICMP redirect. ICMP redirect is what allows a host to 're-learn' the route to a subnet through another path. If the ASA were a router in this instance, it would send a 'redirect' to the 1.x host telling it that the 200.x host was actually reachable through the router and not the ASA. All subsequent traffic would go through the router. Since the ASA does not support this (security reasons), the host can't actually reach the 200.x subnet. The best way to fix this is to put a default route on the router that points to the ASA (Internet hosts, etc...) and point your 1.x hosts to the router as their default gateway. All Internet traffic will be ICMP redirected to the ASA and all 200.x traffic will go to the appropriate interface of the router. Anyway, if you have any other questions, please ask.

Thank you,

Jeff

I thought about that, as well as the idea of just adding a static route to the 192.168.200.0/24 network on the 3-4 hosts affected (very small network).

The former solution, making the inside router the default router, unfortunately won't work. I lied to simplify the situation -- the 192.168.200.0/24 network is actually assigned to PPTP clients from another firewall, and the route to .200 is actually via this other firewall. Since this firewall is *also* connected to the internet, making it the default router effectively eliminates the ASA (also a solution itself, but not one I want).

I think there may be some other NAT issue. Attached is the packet-trace output.

I looked into this some more. It looks like I was wrong and the ASA/PIX will allow this traffic after 7.2x something. Anyway, sorry about that. Just been stuck in how it 'used' to work. How did you do your NAT exemption?

Thanks,

Jeff

Olivier Jessel
Level 1
Level 1

Have you tried to set the NAT acl like this :

global (inside) 1 interface

nat (inside) 1 access-list nat_for_internal_net

access-list nat_for_internal_net extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

route inside 192.168.200.0 255.255.255.0 192.168.1.x 1

where x is the IP of the router on this subnet

Be carefull to use an unused number for the global NAT... I wrote 1 but it's only an example.

CCIE #44658
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: