Hi halijenn / kusankar / Magnus
I have a query related to ASA 5505 Packet flow . I was encountering an issue the other day and below is the topology .Though the issue has been resolved i want to know the exact packet flow as to when the ASA will behave as a switchport and when it will behave as layer 3 .Below is the case for Asymmetric routing issue . My query is that when packet from the user (10.0.0.0) is going towards the 3825 , how exactly ASA treats it (as in the packet capture there were no request to ASA i.e no SYN packet ? ) ; however when the FTP Server replies back , ASA will do a route lookup for 10.0.0.0 Network .Does this means that with 3825 and FTP Server being in the same VLAN , ASA will act as L2 Device for the initial ICMP Echo packet towards FTP Server and as L3 Device while replying back.Please correct me if i am wrong as i want to understand that though U Turning resolved this issue , i want to understand the exact packet flow .
Internal --------CoreSw----3825-----ASA ----- Internet
1) FTP Server (172.30.10.22) and 3825 (connected to ASA Ethernet0/1) are in the same VLAN (vlan1 - nameif inside) . Cust not able to access ftp server from the inside of the ASA 10.0.22.0 network ; however able to ping from 3825 .The FTP server is connected to the e0/2 port of ASA , which is also in vlan 1.
2) I have put captures on ASA and saw only reply from FTP server, but ASA never saw ping request.The ping request was timing out . Please note that i was not able to initiate ICMP from FTP Server as the customer doesnot have access to it and it was not possible as it is in another location .
3) Thought it to be an asymmetric routing issue and gave the appropriate commands of U-Turning and the same worked
4) After that was able to ping FTP Server from the inside IP
1) FTP Server is publically visible for the outside world .
ip address 172.30.10.21 255.255.255.248
ospf cost 10
ospf authentication null
router ospf 1
network 172.30.10.21 255.255.255.255 area 0
area 0 range 172.30.10.16 255.255.255.248
default-information originate always
4) global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <Next hop of ASA>
You are correct in that you were experiencing Asymmetric routing. For the
communication between the 3825 and FTP server, the firewall was acting as a
Switchport. Both devices are connected at L2 level and can communicate
seamlessly (Also, you need to remember that 3825 and FTP server share same
IP address range). When you tried to communicate from your inside subnet
(10.0.0.0) to the FTP server, the packets hit 3825 first and the 3825
forwarded the packets directly to the FTP server at L2 (since 3825 has an
ARP entry for FTP server, it did delivered the packets at Layer 2). However,
the return traffic is the problem. The default gateway of the FTP server is
the firewalls VLAN 1 interface. When the FTP server was ready to transmit
return packet, it did a destination lookup and found that the destination is
not on its local subnet. So, as per routing rules, it had to send the
traffic to its default gateway. When the traffic hit the ASA's VLAN 1
interface, the ASA inspected the packet and concluded that this could be an
attack as it has not seen the original request, but it is seeing only
responses. So, it blocked the packet.
So, in a nutshell, the 5505 acts as a switch when communicating between
hosts on the same VLAN and source IP/destination IP are also on the same
VLAN. It will apply firewall rules when the destination originated for the
traffic from the VLAN is outside that VLAN and traffic hits ASA's interface
Hope this helps.