ASA routing

Unanswered Question
Jun 3rd, 2010
User Badges:

I have dual firewalls on either end of my DMZ and would like for my DMZ hosts to serve up content to both internal and public users. My issue is that I'm not sure how to simplify the routing.

I have my DMZ host with a default gateway of the public firewall (, per the diagram) which allows it to serve up pages externally. I am currently using static routes defined on the DMZ host (ie. route has a gateway of which works fine. I'd like to do away with static routes and have the public firewall reroute the traffic. Traffic from the DMZ host to the internal network should, in my mind, travel:
DMZ Host (
Default Gateway ( / public firewall)

Inside firewall (

Inside host (192.168.1.x)

How do I go about setting this up?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 06/03/2010 - 12:10
User Badges:
  • Green, 3000 points or more


To be able to allow the ASA to reroute traffic backout the same interface in which it received it you need this:

same-security-traffic permit intra-interface

If routing is correct, then when the internet-facing firewall receives from the ''inside'' interface traffic intended to the internal LAN, then it will u-turn the traffic and reroute it back to the ''inside'' interface (same interface in which it received the traffic).

Is this what you're looking for?


gregbeifuss Thu, 06/03/2010 - 13:29
User Badges:

I should have mentioned that I already have the same-security-traffic permit intra-interface statement in my configuration.

When I use the packet tracer, the packet is dropped during a NAT phase by the rpf-check.

Federico Coto F... Thu, 06/03/2010 - 13:32
User Badges:
  • Green, 3000 points or more

Perhaps when the traffic reaches the ASA, there's a NAT rule and the ASA is expecting a corresponding NAT rule to translate that IP.

I see two options to try:

NAT the traffic, i.e

nat (outside) 1 IP_of_DMZ_server

global (outside) 1 interface

Or, disable NAT Control?


Federico Coto F... Thu, 06/03/2010 - 14:02
User Badges:
  • Green, 3000 points or more

Also, on previous releases there was a limitation with u-turning the traffic because it was only used on encrypted traffic.

For example, to terminate the VPN tunnel and then redirect it either trough another tunnel (encrypted) or in the clear to the Internet.

I have not tested myself if it works now on receiving clear text and sending it back as clear text.


gregbeifuss Fri, 06/04/2010 - 07:41
User Badges:

Thanks for your comment on the u-turning not working properly. No matter which NAT rule I write, the rpf-check drops me everytime. I'm using 8.2.2 and I'll just leave in the static route entries for now.


This Discussion