problem using same-security-traffic permit intra-interface in inside Interf

wilverav05 · ‎07-31-2009

Hi

I have a problem on using same-security-traffic permit intra-interface at ASA5505, although I enable "same-security-traffic permit intra-interface", the TCP connection still can't be built-up, but icmp is no problem.

I can't make the TCP connection from 10.8.103.100 to 10.8.111.103, but I can ping from 10.8.103.100 to 10.8.111.103, the routing should be no problem.

PC 10.13.1.10 can't configure subnet route for 192.168.1.0/24 via 10.13.1.201, only default route is configured to 10.13.1.254.

interface eth2

nameif inside

security-level 100

ip address 10.8.103.53 255.255.255.0 standby 10.8.103.54

same-security-traffic permit intra-interface

access-list inside-in extended permit ip any any

route inside 10.8.111.0 255.255.255.0 10.8.103.5 1

Log

access-list gcot_acl line 49 extended permit tcp host 10.8.111.103 eq telnet 10.8.103.100 255.255.255.0 (hitcnt=16) 0x9fe49e6b

Oct 04 2008 17:46:41: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags SYN ACK on interface gcot

Oct 04 2008 17:46:43: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags ACK on interface gcot

Oct 04 2008 17:46:43: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags SYN ACK on interface gcot

Oct 04 2008 17:46:47: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags ACK on interface gcot

Oct 04 2008 17:46:47: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags SYN ACK on interface gcot

Oct 04 2008 17:46:55: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags ACK on interface gcot

Oct 04 2008 17:46:55: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags SYN ACK on interface gcot

What configuration am I missing, please advise, your help is much apppreciated, thanks.

acomiskey · ‎07-31-2009

This should get it going, but may not be exactly what you want.

nat (inside) 1 0 0

global (inside) 1 interface

wilverav05 · ‎07-31-2009

Thank you

But is needed that translation?

The Functionality should be a redirect from the traffic on the interface inside

acomiskey · ‎07-31-2009

You wouldn't need it if this were a router.

You can also do..

static (inside,inside) 10.8.0.0 10.8.0.0 netmask 255.255.0.0

kwillacey · ‎07-31-2009

What is your setup like because no matter what configuration you put it on the firewall it won't work. All traffic must flow through the firewall in order for it to work.

wilverav05 · ‎08-03-2009

I would like to know if the "same-security-traffic permit intra-interface" command in the ASA Firewall can supplement the functionalities of does a router redirect?

suschoud · ‎08-03-2009

One-arm routing/U-Turning-

-------

| ASA |

-------192.168.1.1

|

--------192.168.1.0/24 n/w

----|Switch|----

| -------- |

| |

192.168.1.10 -------192.168.1.2(F0)

host |Router|

-------192.168.2.1(F1)

|

--------------------

|192.168.2.0/24 n/w|

--------------------

|

192.168.2.10

host

Refer to above topology-

ASA Inside interface: 192.168.1.1

ASA Inside interface n/w: 192.168.1.0/24

Internal router F0 interface: 192.168.1.2

Internal router F1 interface: 192.168.2.1

Network behind router: 192.168.2.0/24

Gateway IP of router: 192.168.1.1

Gateway of 192.168.1.0/24 n/w: 192.168.1.1

Gatewau of 192.168.2.0/24 n/w: 192.168.2.1

Requirement-

192.168.1.0/24 and 192.168.2.0/24 networks should be able to talk each other.

Hence, access to both networks should be available in both directions.

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Why would command set 1 cause issues? Using following static command:

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

We are telling firewall to proxyarp for any IP address in 192.168.1.0/24 network.

Now if host 192.168.1.10 needs to talk to 192.168.1.20, it would do and ARP for

192.168.1.20. In this case, this ARP request would reach both firewall inside

interface as well as the actual host 192.168.1.20. Both will respond with their

own MAC-Address. Now it depends which response gets to 192.168.1.10 first. If it

receives response from firewall first, communication will not work, if it receives

resposne from actual host first then only communication would work. Hence, customer

would face intermittent issues in his internal network.

We had to use norandom nailed option along with failover time -1 command to enable

assymetric routing for these networks when sending traffic to same interface destination.

This is required as response for some requests would not be seen by firewall and

if stateful filtering is on, communication would be dropped by firewall.