Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4918
Views
8
Helpful
12
Replies

allowing entry and exit of a packet through the same interface (asa 5500)

adrian.coaguila
Level 1
Level 1

‎05-02-2012 01:07 PM - edited ‎03-11-2019 04:01 PM

Can anyone help me with a big question I have.


pc test:

ip: 192.68.5.100/24

default: 192.168.5.2


ASA firewall:

firewall (ASA 5500 Series): 192.168.5.2 (interface 0/0 inside)

Routing 1: 192.168.3.0/24 gw 172.10.10.1

Routing 2: 192.168.3.100/32 gw 192.168.5.1


router:

ip: 192.168.5.1


I explain what I want to do, as you can see the "test PC" tries to connect to the192.168.3.100 ip packet should go to the "router" by the action of "ruteo2".Since this action in the ASA log tells me that the package is removed.


What you want to do is allow the packet through the interface0 / 0 (inside) and exit the package through the same interface interface0 / 0 (inside)

Labels:
0 Helpful
12 Replies 12

varrao
Level 10
Level 10

‎05-02-2012 01:27 PM

What is the ASA code that you are using?? If it is pre 8.2, then you would need:

nat (inside) 10 192.68.5.100 255.255.255.255

global (inside) 10 interface

static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

and this should work,

Let me know if you are using code 8.3 or higher, the config would be different in that case.

Thanks,

Varun

Thanks,
Varun Rao

adrian.coaguila
Level 1
Level 1
In response to varrao

‎05-02-2012 01:40 PM

The version is:

Version 8.2(4)

0 Helpful

varrao
Level 10
Level 10
In response to adrian.coaguila

‎05-02-2012 01:43 PM

You can try the config then that I have you.

Thanks,
Varun Rao
0 Helpful

adrian.coaguila
Level 1
Level 1
In response to varrao

‎05-02-2012 02:03 PM

that is correct:

static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed

0 Helpful

varrao
Level 10
Level 10
In response to adrian.coaguila

‎05-02-2012 03:15 PM

Hi Jesus,

Yes that statement is correct, since you're destination also lies behind the same interface behind whihc the source is.

Varun

Thanks,
Varun Rao
0 Helpful

prashantrecon
Level 1
Level 1
In response to varrao

‎05-04-2012 06:39 AM

Hi Varun,

can u explain me briefly . since network lies behind the same interface. which is sourece.But pbr is not supported by asa.

Please explain me with a scenario

0 Helpful

varrao
Level 10
Level 10
In response to prashantrecon

‎05-05-2012 02:21 PM

Hi Prashant,

this is not PBR, we are just routing packets on the ASA based on the nat statements.

                                                            ASA

                                                           /       \

                                                          /         \

                                                         /           \

                                                      host A       host B

Now just take the example, where host A is trying to access host B through RDP, then what you would first need is the command:

same-security-traffic permit intra-interface

This would enable the ASA capability to route the traffic back into the same interface from where it originated.

Then, you would need to create a nat for the source traffic as well:

nat (inside) 1 0.0.0.0 0.0.0.0

global (inside) 1 interface

which means, if the traffic is coming from inside and want to be routed back in, then it would be patted with the inside interface.

Now you would need to nat the destination as well (if nat control enabled):

static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed

because the source and destination of the packet are both inside interface.

sysopt noproxyarp inside (so that ASA doesn't proxy arp for any internal IP's)

PBR is different and it is routing done on the basis of a specific source and destination, we are here just hair-pinning the traffic, which is originated behind an interface and is destination is also behind the same interface.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

prashantrecon
Level 1
Level 1
In response to varrao

‎05-07-2012 12:29 AM

Thank you.

0 Helpful

John Peterson
Level 1
Level 1
In response to varrao

‎05-08-2012 01:50 PM

Hi Varun,

Why would you need to PAT the inside interface.

Please could you give a example?

Thanks

0 Helpful

varrao
Level 10
Level 10
In response to John Peterson

‎05-08-2012 02:22 PM

Hi John,

Its not a necessary config, but just a way to make sure the clients respond to the ping requests. In some scenarios, where you have multiple subnets behind the ASA interface or where the default gateway on the clients is not the ASA, but some other L3 hop, this helps. You can also do nat exempt for that traffic, depending upon your network.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

adrian.coaguila
Level 1
Level 1
In response to varrao

‎05-07-2012 08:23 PM

Thank varun.

do you know how configure secondary ip address on asa (8.2)?

0 Helpful

varrao
Level 10
Level 10
In response to adrian.coaguila

‎05-08-2012 12:03 PM

Hi Jesus,

If you are asking about configuring a secondary ip on a firewalls in failover setup, you can follow this configuration doc:

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Hope that helps.

Thanks,

Varun Rao

Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card