07-31-2009 05:08 AM - edited 03-11-2019 09:01 AM
Hi
I have a problem on using same-security-traffic permit intra-interface at ASA5505, although I enable "same-security-traffic permit intra-interface", the TCP connection still can't be built-up, but icmp is no problem.
I can't make the TCP connection from 10.8.103.100 to 10.8.111.103, but I can ping from 10.8.103.100 to 10.8.111.103, the routing should be no problem.
PC 10.13.1.10 can't configure subnet route for 192.168.1.0/24 via 10.13.1.201, only default route is configured to 10.13.1.254.
interface eth2
nameif inside
security-level 100
ip address 10.8.103.53 255.255.255.0 standby 10.8.103.54
same-security-traffic permit intra-interface
access-list inside-in extended permit ip any any
route inside 10.8.111.0 255.255.255.0 10.8.103.5 1
Log
access-list gcot_acl line 49 extended permit tcp host 10.8.111.103 eq telnet 10.8.103.100 255.255.255.0 (hitcnt=16) 0x9fe49e6b
Oct 04 2008 17:46:41: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags SYN ACK on interface gcot
Oct 04 2008 17:46:43: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags ACK on interface gcot
Oct 04 2008 17:46:43: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags SYN ACK on interface gcot
Oct 04 2008 17:46:47: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags ACK on interface gcot
Oct 04 2008 17:46:47: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags SYN ACK on interface gcot
Oct 04 2008 17:46:55: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags ACK on interface gcot
Oct 04 2008 17:46:55: %ASA-6-106015: Deny TCP (no connection) from 10.8.111.103/23 to 10.8.103.100/40962 flags SYN ACK on interface gcot
What configuration am I missing, please advise, your help is much apppreciated, thanks.
07-31-2009 05:43 AM
This should get it going, but may not be exactly what you want.
nat (inside) 1 0 0
global (inside) 1 interface
07-31-2009 08:15 AM
Thank you
But is needed that translation?
The Functionality should be a redirect from the traffic on the interface inside
07-31-2009 09:06 AM
You wouldn't need it if this were a router.
You can also do..
static (inside,inside) 10.8.0.0 10.8.0.0 netmask 255.255.0.0
07-31-2009 11:36 AM
What is your setup like because no matter what configuration you put it on the firewall it won't work. All traffic must flow through the firewall in order for it to work.
08-03-2009 02:03 PM
I would like to know if the "same-security-traffic permit intra-interface" command in the ASA Firewall can supplement the functionalities of does a router redirect?
08-03-2009 02:05 PM
One-arm routing/U-Turning-
-------
| ASA |
-------192.168.1.1
|
|
--------192.168.1.0/24 n/w
----|Switch|----
| -------- |
| |
192.168.1.10 -------192.168.1.2(F0)
host |Router|
-------192.168.2.1(F1)
|
--------------------
|192.168.2.0/24 n/w|
--------------------
|
192.168.2.10
host
Refer to above topology-
ASA Inside interface: 192.168.1.1
ASA Inside interface n/w: 192.168.1.0/24
Internal router F0 interface: 192.168.1.2
Internal router F1 interface: 192.168.2.1
Network behind router: 192.168.2.0/24
Gateway IP of router: 192.168.1.1
Gateway of 192.168.1.0/24 n/w: 192.168.1.1
Gatewau of 192.168.2.0/24 n/w: 192.168.2.1
Requirement-
192.168.1.0/24 and 192.168.2.0/24 networks should be able to talk each other.
Hence, access to both networks should be available in both directions.
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandom nailed
same-security-traffic permit intra-interface
sysopt noproxyarp inside
failover timeout -1
Why would command set 1 cause issues? Using following static command:
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
We are telling firewall to proxyarp for any IP address in 192.168.1.0/24 network.
Now if host 192.168.1.10 needs to talk to 192.168.1.20, it would do and ARP for
192.168.1.20. In this case, this ARP request would reach both firewall inside
interface as well as the actual host 192.168.1.20. Both will respond with their
own MAC-Address. Now it depends which response gets to 192.168.1.10 first. If it
receives response from firewall first, communication will not work, if it receives
resposne from actual host first then only communication would work. Hence, customer
would face intermittent issues in his internal network.
We had to use norandom nailed option along with failover time -1 command to enable
assymetric routing for these networks when sending traffic to same interface destination.
This is required as response for some requests would not be seen by firewall and
if stateful filtering is on, communication would be dropped by firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide