12-09-2008 09:43 PM - edited 03-11-2019 07:23 AM
Hi i have a problem i hope find a solution.
I have my lan conected to a ASA inside interface 10.57.1.250, in my lan have a dns server that knows where is a internal web aplication(10.240.142.84)that is in another branch conected by a router( 10.57.1.253), the pc`s have the 10.57.1.0 255.255.255.0 dir ips with default gateway 10.57.1.250, in that way the pc doesnt how to reach the web aplication(10.240.142.84) cero activity in the log of asdm, so i try with a route in the asa :
route inside 10.240.142.84 255.255.255.255 10.57.1.253 1
with these i get activity in the asdm with a ping from pc:10.57.1.240, show :
Deny inbound icmp src inside 10.57.1.240 dst inside 10.240.142.84 (tyoe:8, code :0)
this is part of my configuration:
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any
global (outside) 1 X.X.X.X netmask 255.255.255.255
nat (inside) 1 10.57.1.0 255.255.255.0
nat (inside) 0 0.0.0.0 0.0.0.0
nat (DMZ) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 190.144.146.17 2
route inside 10.240.142.84 255.255.255.255 10.57.1.253 1
Plese help!!!!!
12-09-2008 10:38 PM
icmp is a seperate protocol so perhaps you should try for
access-list inside_access_in extended permit icmp any any; but i guess this should not affect the access of the webserver from the desktops.
i would recomed you to put the routing on the router than on the firewall, configure the specific subnets on the router pointing to your branches and then a default route in it pointing to the firewall. the desktops would hve the default gateway as the router.
12-10-2008 02:20 AM
hi there
try this:
1) conf t
2) icmp permit (lan ip) (mask) interface inside
HTH
12-10-2008 03:59 AM
Hello Andres,
global (outside) 1 X.X.X.X netmask 255.255.255.255
nat (inside) 1 10.57.1.0 255.255.255.0
"nat (inside) 0 0.0.0.0 0.0.0.0 " --> You tell the firewall NOT! to NAT ANY! traffic from inside. This command will make the commands above itself PASSIVE, they will be useless.
I have once made a very detailed explaination about that issue in this forum before,but couldt find it to give a link to you. So I will explain again, less detailed for time sake.
For example, 10.57.1.202 PC wants to connect to 10.240.142.84, so it forwards the request to its gateway 10.57.1.250 the ASA. ASA checks its routing table and sees that it has to forward that packet which came from inside interface, to same interface again. This behaviour is denied by default. First, allow this behaviour by typing "same-security-traffic permit intra-interface"
Now ASA correctly forwarded the packet to 10.57.1.253 with a source IP of 10.57.1.202 in packet. Router receives the packet, delivers to 10.240.142.84 all fine. Now the return traffic that is destined to 10.57.1.202 will depart from the router. BUT! Since router has a "connected route" because of being connected to same segment (10.57.1.0), it will directly send the packet to 10.57.1.202 while it has to send the packet to ASA, then ASA to 10.57.1.202. This is called "assymetrical routing" which results being dropped at clientside, in terms of TCP (ping will work correctly), since the respond doesnt come back from the host (ASA) which is defined in session table waiting for SYN ACK. To correct this issue, you have to PAT traffic as following so the return traffic will always hit ASA
Do the following modifications
access-list PNat permit ip 10.57.1.0 255.255.255.0 10.240.142.0 255.255.255.0
no global (outside) 1 X.X.X.X netmask 255.255.255.255
no nat (inside) 1 10.57.1.0 255.255.255.0
nat (inside) 1 access-list PNat
global (inside) 1 interface
nat (inside) 5 10.57.1.0 255.255.255.0
global (outside) 1 X.X.X.X netmask 255.255.255.255
Remove following, they are useless since traffic from higher security level interface to lower is permitted by default
no access-list inside_access_in extended permit ip any any
no access-list inside_access_in extended permit tcp any any
no access-list inside_access_in extended permit tcp any eq www any
no access-group inside_access_in interface inside
For permtting PINGs, use inspection
policy-map global_policy
class inspection_default
inspect icmp
" nat (DMZ) 0 0.0.0.0 0.0.0.0 " Unless your DMZ interface and clients are placed in public IP range, they wont be able to connect to internet or outside interface with this command. Post here if you are having connectivity issues about your DMZ
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide