ASA 5520 Intra-interface routing

Unanswered Question
Aug 18th, 2010
User Badges:

Hello,


I am kinda new to firewalls and what i'm trying to do is the following:


Old situation:

One subnet for everything, ASA 5520 INSIDE 192.168.0.241  > 3560 192.168.0.240 > Several 2950 on 192.168.0.x


New situation:

ASA 5520 INSIDE 192.168.0.241 >>> 3560 192.168.-0.240/2.1/5.1 (IP ROUTING enabled) >TRUNK> 2950 with 192.168.5.10 and a client with 192.168.2.100


So:

-ASA 5520 > 3560 > Several 2950 (some in different subnets)

-I added subnets 192.168.2.x and .5.x (vlan 2/5, with ip's of .1) to the 3560 which is trunked with a 2950 that runs those 2 subnets.

-Everything in the 192.168.0.x subnet has as default gateway the ASA Inside interface (0.241).

-The new 2950 / Client have as default gateway the 3560 (5.1 and client 2.1).

-3560 has a ip route 0.0.0.0 0.0.0.0 192.168.0.241

-ASA has ip routes to 192.168.2.0 > 192.168.0.240 and 192.168.5.0 > 192.168.0.240 (which is the ip of the 3560).


I can access the internet fine (added PAT) but i cannot ping from a host in the 0.x to the 2.x etc. From the 2.100 client i can only ping the 3560 / ASA / internet but not a single other 0.x adress on the network.


Now someone told me that i cannot route traffic back on the same interface as it goes out on, but i don't think this is true. He suggested i changed all my default gateways to the 3560 IP address and yes this will probably solve it and might be the best solution, but i got curious now.


-I got a inside acl that says from any source to any less secured network, can anyone tell me that if i put this to any any if this will solve my problems?

-Even if this works, should i still consider changing all my default gateways to the 3560 instead of the firewall?

-Or should i consider doing the inter-vlan routing on the firewall instead of the 3560?


I hope it's a bit clear and if not please let me know.


Thanks,

Ralph

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Wed, 08/18/2010 - 01:25
User Badges:
  • Cisco Employee,

Hi,


> Now someone told me that i cannot route traffic back on the same  interface as it goes out on


Whoever told you that is true in a sense because that is indeed the default behvior of the ASA. In order to allow that, you will need the command:


same-security-interface permit intra-interface


Also, since you have an access-list on the ASA's interface, you will also need to allow traffic from the 0.x to 2.x subnet explicitly.


Now, if we look at the packet flow when a host say 0.10 tries to ping 2.100, this first goes to the ASA, then to the 3560 and 2950 and then finally to 2.100 host. When this host sends the reply, this packet is going to go to the 2950, the 3560 and then to the 0.10 host directly and does not go the ASA. Hence, the ASA sees only one direction of traffic and not both (Asymmetric Routing). Assuming we don't have "inspect icmp", then because of this, we will be able to ping successfully but none of the TCP connections will work fine because of 2 reasons:


1) ASA randomizes sequence numbers.

2) ASA does a statefulness check for every TCP packet.


We need to disable to above two features as well on the ASA for this particular flow. Prior to 8.2, this is done using a static command as below:


static(in,in) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandomseq nailed

failover timeout -1


From 8.2 onwards, we will need to do this using MPF. the two actions we will need are


set connection advanced options tcp-state-bypass; and

set connection random-sequence-number disable


The below 2 links will give you more information about the above 2 commands:


http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045


Let me know if this helps. All the best!!


Thanks and Regards,

Prapanch

marshallqqqq Wed, 08/18/2010 - 01:30
User Badges:

Thanks for the fast reply Prapanch, i will try it out asap and post a status update after it.

Actions

This Discussion

Related Content