08-31-2010 04:39 AM - edited 03-11-2019 11:32 AM
Hi,
We have a new router on our internal interface. The router is a vpn-link to one of your customer’s networks (10.20.30.0/24) and our clients need to have access to their network. (all clients have the asa as default gw)
I have added a route in the ASA (5505)
route inside2 10.20.30.0 255.255.255.0 10.20.10.1
I have also excluded the network from using NAT
access-list AL_NO_NAT extended permit ip 10.20.10.0 255.255.255.0 10.20.30.0 255.255.255.0
nat (inside2) 0 access-list AL_NO_NAT
the ASA have two internal interface:
Inside: 192.168.10.2/24
Inside2: 10.20.10.2/24
It’s only clients on the interface Inside2 that need to be able to access the network 10.20.30.0 behind the new router.
If I login to the ASA I can ping hosts on the 10.20.30.0 network, but there are no access to the network from our clients located on the “inside2” interface.
I have also tried to add the command:
same security-traffic permit intra-interface
but it dosent help.
Any help would be appreciated because I’m stuck with this now.
Solved! Go to Solution.
08-31-2010 05:01 AM
Reason why it doesn't work is because there is assymetric TCP connection when hosts in 10.20.10.0/24 network with DG pointing towards the ASA tried to access 10.20.30.0/24 network.
SYN packet is being sent from 10.20.10.x host towards ASA inside2 interface then towards 10.20.10.1 and finally 10.20.30.x host.
SYN-ACK packet is sent from 10.20.30.x host towards the 10.20.10.1 router, and directly towards the 10.20.10.x host because they are in the same subnet.
ACK packet will then be sent from 10.20.10.x host towards ASA inside2 interface (however, since ASA never saw the SYN-ACK, it will drop the ACK packet).
Solution:
1) Configure static route on the 10.20.10.x host for 10.20.30.0/24 network pointing towards the router (10.20.10.1) instead of the ASA inside2 interface.
2) Change the default gateway on all the 10.20.10.x host to 10.20.10.1 (assuming it's a router), and point the router default gateway towards the ASA, so the router will redirect traffic back towards the ASA for all other traffic except 10.20.30.x network. Router is not a stateful firewall, hence will not drop asymetric TCP connection (assuming no firewall feature set is enabled on the router).
Hope that helps.
08-31-2010 06:22 AM
Hello,
To add to what halijenn said, if you are running 8.2 code version, you can
also use TCP-state-bypass feature.
access-list Bypass permit ip 10.20.10.0 255.255.255.0 10.20.30.0
255.255.255.0
class-map bypass
match access-list Bypass
policy-map Inside2_policy
class bypass
set connections advanced-options tcp-state-bypass
service-policy Inside2_policy interface Inside2
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a0080b2d922.shtml
While TCP bypass configuration is the least intrusive solution, you can also
consider the second solution provided by halijenn as that would be better.
Hope this helps.
Regards,
NT
08-31-2010 05:01 AM
Reason why it doesn't work is because there is assymetric TCP connection when hosts in 10.20.10.0/24 network with DG pointing towards the ASA tried to access 10.20.30.0/24 network.
SYN packet is being sent from 10.20.10.x host towards ASA inside2 interface then towards 10.20.10.1 and finally 10.20.30.x host.
SYN-ACK packet is sent from 10.20.30.x host towards the 10.20.10.1 router, and directly towards the 10.20.10.x host because they are in the same subnet.
ACK packet will then be sent from 10.20.10.x host towards ASA inside2 interface (however, since ASA never saw the SYN-ACK, it will drop the ACK packet).
Solution:
1) Configure static route on the 10.20.10.x host for 10.20.30.0/24 network pointing towards the router (10.20.10.1) instead of the ASA inside2 interface.
2) Change the default gateway on all the 10.20.10.x host to 10.20.10.1 (assuming it's a router), and point the router default gateway towards the ASA, so the router will redirect traffic back towards the ASA for all other traffic except 10.20.30.x network. Router is not a stateful firewall, hence will not drop asymetric TCP connection (assuming no firewall feature set is enabled on the router).
Hope that helps.
08-31-2010 06:22 AM
Hello,
To add to what halijenn said, if you are running 8.2 code version, you can
also use TCP-state-bypass feature.
access-list Bypass permit ip 10.20.10.0 255.255.255.0 10.20.30.0
255.255.255.0
class-map bypass
match access-list Bypass
policy-map Inside2_policy
class bypass
set connections advanced-options tcp-state-bypass
service-policy Inside2_policy interface Inside2
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a0080b2d922.shtml
While TCP bypass configuration is the least intrusive solution, you can also
consider the second solution provided by halijenn as that would be better.
Hope this helps.
Regards,
NT
08-31-2010 06:58 AM
Thank you,
I added a route for 0.0.0.0 in the new router pointing to the ASA and now we use the router as default gw instead of the ASA and it works great
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide