09-15-2008 12:08 PM - edited 03-11-2019 06:44 AM
Dear all
From the attached image you will find I am trying to ping the IP 192.168.1.1 from the PC 192.168.0.10 but I cannot. From the firewall I can ping the whole network but from the users I cannot ping any IP from the subnet 192.168.1.0/24.
Please find the attached image and configuration.
Thanks,
Solved! Go to Solution.
09-15-2008 01:21 PM
Use :
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandom nailed
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed
same-security-traffic permit intra-interface
sysopt noproxyarp inside
failover timeout -1
Please rate if helps.
Regards,
Sushil
09-15-2008 12:19 PM
Use the the 192.168.0.1 device as the primary layer 3 routing device instead of the firewall.
Change the default GW of the PC to 192.168.0.1
Add a static ip route in the 192.168.0.1 device:-
ip route 0.0.0.0 0.0.0.0 192.168.0.5
Itg will work better and will do what you want.
HTH>
09-15-2008 01:21 PM
Use :
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandom nailed
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed
same-security-traffic permit intra-interface
sysopt noproxyarp inside
failover timeout -1
Please rate if helps.
Regards,
Sushil
09-18-2008 12:10 AM
Dear Sushil
Thank you very much for your help, it works fine.
Could you please explain the 5 commands and why you used the static nat and why you use it with the local subnet 192.168.0.0 of the firewall?
what about this command (sysopt noproxyarp inside) ?
Thanks,
09-18-2008 04:35 AM
One-arm routing/U-Turning-
-------
| ASA |
-------192.168.1.1
|
|
--------192.168.1.0/24 n/w
----|Switch|----
| -------- |
| |
192.168.1.10 -------192.168.1.2(F0)
host |Router|
-------192.168.2.1(F1)
|
--------------------
|192.168.2.0/24 n/w|
--------------------
|
192.168.2.10
host
Refer to above topology-
ASA Inside interface: 192.168.1.1
ASA Inside interface n/w: 192.168.1.0/24
Internal router F0 interface: 192.168.1.2
Internal router F1 interface: 192.168.2.1
Network behind router: 192.168.2.0/24
Gateway IP of router: 192.168.1.1
Gateway of 192.168.1.0/24 n/w: 192.168.1.1
Gatewau of 192.168.2.0/24 n/w: 192.168.2.1
Requirement-
192.168.1.0/24 and 192.168.2.0/24 networks should be able to talk each other.
Hence, access to both networks should be available in both directions.
Command Set 1
=============
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
same-security-traffic permit intra-interface
Please note that only these 3 commands are *NOT* a solution and will disrupt
services on 192.168.1.0/24 network.
Command Set 2
=============
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandom nailed
same-security-traffic permit intra-interface
sysopt noproxyarp inside
failover timeout -1
Why would command set 1 cause issues? Using following static command:
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
We are telling firewall to proxyarp for any IP address in 192.168.1.0/24 network.
Now if host 192.168.1.10 needs to talk to 192.168.1.20, it would do and ARP for
192.168.1.20. In this case, this ARP request would reach both firewall inside
interface as well as the actual host 192.168.1.20. Both will respond with their
own MAC-Address. Now it depends which response gets to 192.168.1.10 first. If it
receives response from firewall first, communication will not work, if it receives
resposne from actual host first then only communication would work. Hence, you
would face intermittent issues in his internal network.
We had to use norandom nailed option along with failover time -1 command to enable
assymetric routing for these networks when sending traffic to same interface destination.
This is required as response for some requests would not be seen by firewall and
if stateful filtering is on, communication would be dropped by firewall.
Please rate if explaination is helpful. :)
Regards,
Sushil
09-15-2008 07:36 PM
u could also make two subinterfaces on the inside interface call then for example inside1 and inside2 and put each one with it security level and ip addresing and a static nat on the firewall point to each network through the corsponding subinterface
and make normal nating between interface
good luck
if helpful rate
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: