cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
389
Views
10
Helpful
5
Replies

Routing the traffic in the same interafce to a branch router

amady3381
Level 1
Level 1

Dear all

From the attached image you will find I am trying to ping the IP 192.168.1.1 from the PC 192.168.0.10 but I cannot. From the firewall I can ping the whole network but from the users I cannot ping any IP from the subnet 192.168.1.0/24.

Please find the attached image and configuration.

Thanks,

1 Accepted Solution

Accepted Solutions

suschoud
Cisco Employee
Cisco Employee

Use :

static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Please rate if helps.

Regards,

Sushil

View solution in original post

5 Replies 5

andrew.prince
Level 10
Level 10

Use the the 192.168.0.1 device as the primary layer 3 routing device instead of the firewall.

Change the default GW of the PC to 192.168.0.1

Add a static ip route in the 192.168.0.1 device:-

ip route 0.0.0.0 0.0.0.0 192.168.0.5

Itg will work better and will do what you want.

HTH>

suschoud
Cisco Employee
Cisco Employee

Use :

static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Please rate if helps.

Regards,

Sushil

Dear Sushil

Thank you very much for your help, it works fine.

Could you please explain the 5 commands and why you used the static nat and why you use it with the local subnet 192.168.0.0 of the firewall?

what about this command (sysopt noproxyarp inside) ?

Thanks,

One-arm routing/U-Turning-

-------

| ASA |

-------192.168.1.1

|

|

--------192.168.1.0/24 n/w

----|Switch|----

| -------- |

| |

192.168.1.10 -------192.168.1.2(F0)

host |Router|

-------192.168.2.1(F1)

|

--------------------

|192.168.2.0/24 n/w|

--------------------

|

192.168.2.10

host

Refer to above topology-

ASA Inside interface: 192.168.1.1

ASA Inside interface n/w: 192.168.1.0/24

Internal router F0 interface: 192.168.1.2

Internal router F1 interface: 192.168.2.1

Network behind router: 192.168.2.0/24

Gateway IP of router: 192.168.1.1

Gateway of 192.168.1.0/24 n/w: 192.168.1.1

Gatewau of 192.168.2.0/24 n/w: 192.168.2.1

Requirement-

192.168.1.0/24 and 192.168.2.0/24 networks should be able to talk each other.

Hence, access to both networks should be available in both directions.

Command Set 1

=============

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

same-security-traffic permit intra-interface

Please note that only these 3 commands are *NOT* a solution and will disrupt

services on 192.168.1.0/24 network.

Command Set 2

=============

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Why would command set 1 cause issues? Using following static command:

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

We are telling firewall to proxyarp for any IP address in 192.168.1.0/24 network.

Now if host 192.168.1.10 needs to talk to 192.168.1.20, it would do and ARP for

192.168.1.20. In this case, this ARP request would reach both firewall inside

interface as well as the actual host 192.168.1.20. Both will respond with their

own MAC-Address. Now it depends which response gets to 192.168.1.10 first. If it

receives response from firewall first, communication will not work, if it receives

resposne from actual host first then only communication would work. Hence, you

would face intermittent issues in his internal network.

We had to use norandom nailed option along with failover time -1 command to enable

assymetric routing for these networks when sending traffic to same interface destination.

This is required as response for some requests would not be seen by firewall and

if stateful filtering is on, communication would be dropped by firewall.

Please rate if explaination is helpful. :)

Regards,

Sushil

Marwan ALshawi
VIP Alumni
VIP Alumni

u could also make two subinterfaces on the inside interface call then for example inside1 and inside2 and put each one with it security level and ip addresing and a static nat on the firewall point to each network through the corsponding subinterface

and make normal nating between interface

good luck

if helpful rate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: