Solved: Add a static route to our ASA5505

OSKAR SVEDMAN · ‎08-31-2010

Hi,

We have a new router on our internal interface. The router is a vpn-link to one of your customer’s networks (10.20.30.0/24) and our clients need to have access to their network. (all clients have the asa as default gw)

I have added a route in the ASA (5505)

route inside2 10.20.30.0 255.255.255.0 10.20.10.1

I have also excluded the network from using NAT
access-list AL_NO_NAT extended permit ip 10.20.10.0 255.255.255.0 10.20.30.0 255.255.255.0

nat (inside2) 0 access-list AL_NO_NAT

the ASA have two internal interface:

Inside: 192.168.10.2/24

Inside2: 10.20.10.2/24

It’s only clients on the interface Inside2 that need to be able to access the network 10.20.30.0 behind the new router.

If I login to the ASA I can ping hosts on the 10.20.30.0 network, but there are no access to the network from our clients located on the “inside2” interface.

I have also tried to add the command:

same security-traffic permit intra-interface

but it dosent help.

Any help would be appreciated because I’m stuck with this now.

Jennifer Halim · ‎08-31-2010

Reason why it doesn't work is because there is assymetric TCP connection when hosts in 10.20.10.0/24 network with DG pointing towards the ASA tried to access 10.20.30.0/24 network.

SYN packet is being sent from 10.20.10.x host towards ASA inside2 interface then towards 10.20.10.1 and finally 10.20.30.x host.

SYN-ACK packet is sent from 10.20.30.x host towards the 10.20.10.1 router, and directly towards the 10.20.10.x host because they are in the same subnet.

ACK packet will then be sent from 10.20.10.x host towards ASA inside2 interface (however, since ASA never saw the SYN-ACK, it will drop the ACK packet).

Solution:

1) Configure static route on the 10.20.10.x host for 10.20.30.0/24 network pointing towards the router (10.20.10.1) instead of the ASA inside2 interface.

2) Change the default gateway on all the 10.20.10.x host to 10.20.10.1 (assuming it's a router), and point the router default gateway towards the ASA, so the router will redirect traffic back towards the ASA for all other traffic except 10.20.30.x network. Router is not a stateful firewall, hence will not drop asymetric TCP connection (assuming no firewall feature set is enabled on the router).

Hope that helps.

View solution in original post

Nagaraja Thanthry · ‎08-31-2010

Hello,

To add to what halijenn said, if you are running 8.2 code version, you can

also use TCP-state-bypass feature.

access-list Bypass permit ip 10.20.10.0 255.255.255.0 10.20.30.0

255.255.255.0

class-map bypass

match access-list Bypass

policy-map Inside2_policy

class bypass

set connections advanced-options tcp-state-bypass

service-policy Inside2_policy interface Inside2

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091

86a0080b2d922.shtml

While TCP bypass configuration is the least intrusive solution, you can also

consider the second solution provided by halijenn as that would be better.

Hope this helps.

Regards,

NT