07-14-2009 09:00 AM - edited 03-11-2019 08:54 AM
I have a client that has an ASA that has routes to remote locations that point to another firewall on the LAN. So the clients default to the ASA and then the ASA should route traffic for the remote locations to the other firewall.
This creates the hair pinning issue which is remedied by the 'same-security-traffic permit intra-interface' command.
However the traffic is getting no where and the logs keep giving the portmap translation creation failed message. I have tried a no nat on the inside interface but that does nothing. Does anyone know how to fix this issue.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.40 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/0
description Flow Internet Connection
switchport access vlan 2
!
interface Ethernet0/1
description LAN Connection
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit tcp any host x.x.x.x eq 65100
access-list outside_access_in extended permit tcp any host x.x.x.x eq ftp-data
access-list outside_access_in extended permit tcp any host x.x.x.x eq ftp
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit tcp any host x.x.x.x eq 800
pager lines 24
logging enable
logging timestamp
logging buffered warnings
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.35 www netmask 255.255.255.255
static (inside,outside) tcp interface 65100 192.168.1.35 65100 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.9 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.9 ftp netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.34 netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 10.10.3.0 255.255.255.0 10.10.1.4 1
route inside 10.10.4.0 255.255.255.0 10.10.1.4 1
route inside 10.10.7.0 255.255.255.0 10.10.1.4 1
route inside 192.168.2.0 255.255.255.0 10.10.1.6 1
route inside 192.168.10.0 255.255.255.0 10.10.1.6 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
07-14-2009 10:16 AM
I searched the forum before I posted and I'm still searching to find an answer but I get the feeling that there is no way to fix this problem, no matter which nat rules are used. I'm gonna be red faced at the client tomorrow.
is there a fix???
07-14-2009 12:02 PM
pasted the wrong routes
route inside 10.10.3.0 255.255.255.0 192.168.1.10 1
route inside 10.10.4.0 255.255.255.0 192.168.1.10 1
route inside 10.10.7.0 255.255.255.0 192.168.1.10 1
route inside 192.168.2.0 255.255.255.0 192.168.1.10 1
route inside 192.168.10.0 255.255.255.0 192.168.1.10 1
07-14-2009 02:30 PM
Finally got the following commands to fix the problem, i am no ASA expert but I think it had something to do with return traffic going directly to the host instead of through the ASA so when the client replies the ASA was unable to find a translation.
global (inside) 1 interface
static (inside,inside) 10.10.3.0 10.10.3.0 netmask 255.255.255.0
static (inside,inside) 10.10.4.0 10.10.4.0 netmask 255.255.255.0
static (inside,inside) 10.10.7.0 10.10.7.0 netmask 255.255.255.0
Hope this helps someone in the future.
07-16-2009 09:48 AM
Sorry guys spoke too soon traffic only works in one direction and I got the following error and it makes sense.
%ASA-6-106015: Deny TCP (no connection) from 10.10.1.19/3389 to 10.10.3.2/49159 flags SYN ACK on interface inside
If a client from the head office initiates a connection to a remote location the traffic has to go through the firewall and based on the configuration the firewall would send the request using it's IP address so the return traffic would have to be sent back to the firewall.
However if the traffic is initiated from the remote location (which it should be), it will go directly to the host because the router is on the same LAN as the host and would not need to send that traffic to the firewall so when the hosts responds and sends the traffic to the firewall it will deny it because it had no prior connection built. This is the default behaviour of the firewall and as far as I am concerned there is no way around it.
A layer 3 switch or making the router the gateway or connecting the router to the ASA on a different VLAN are the only ways to alleviate this problem in my opinion. Any ASA expert care to weigh in?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide