05-02-2012 01:07 PM - edited 03-11-2019 04:01 PM
Can anyone help me with a big question I have.
pc test:
ip: 192.68.5.100/24
default: 192.168.5.2
ASA firewall:
firewall (ASA 5500 Series): 192.168.5.2 (interface 0/0 inside)
Routing 1: 192.168.3.0/24 gw 172.10.10.1
Routing 2: 192.168.3.100/32 gw 192.168.5.1
router:
ip: 192.168.5.1
I explain what I want to do, as you can see the "test PC" tries to connect to the192.168.3.100 ip packet should go to the "router" by the action of "ruteo2".Since this action in the ASA log tells me that the package is removed.
What you want to do is allow the packet through the interface0 / 0 (inside) and exit the package through the same interface interface0 / 0 (inside)
05-02-2012 01:27 PM
What is the ASA code that you are using?? If it is pre 8.2, then you would need:
nat (inside) 10 192.68.5.100 255.255.255.255
global (inside) 10 interface
static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed
same-security-traffic permit intra-interface
sysopt noproxyarp inside
and this should work,
Let me know if you are using code 8.3 or higher, the config would be different in that case.
Thanks,
Varun
05-02-2012 01:40 PM
The version is:
Version 8.2(4)
05-02-2012 01:43 PM
You can try the config then that I have you.
05-02-2012 02:03 PM
that is correct:
static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed
05-02-2012 03:15 PM
Hi Jesus,
Yes that statement is correct, since you're destination also lies behind the same interface behind whihc the source is.
Varun
05-04-2012 06:39 AM
Hi Varun,
can u explain me briefly . since network lies behind the same interface. which is sourece.But pbr is not supported by asa.
Please explain me with a scenario
05-05-2012 02:21 PM
Hi Prashant,
this is not PBR, we are just routing packets on the ASA based on the nat statements.
ASA
/ \
/ \
/ \
host A host B
Now just take the example, where host A is trying to access host B through RDP, then what you would first need is the command:
same-security-traffic permit intra-interface
This would enable the ASA capability to route the traffic back into the same interface from where it originated.
Then, you would need to create a nat for the source traffic as well:
nat (inside) 1 0.0.0.0 0.0.0.0
global (inside) 1 interface
which means, if the traffic is coming from inside and want to be routed back in, then it would be patted with the inside interface.
Now you would need to nat the destination as well (if nat control enabled):
static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed
because the source and destination of the packet are both inside interface.
sysopt noproxyarp inside (so that ASA doesn't proxy arp for any internal IP's)
PBR is different and it is routing done on the basis of a specific source and destination, we are here just hair-pinning the traffic, which is originated behind an interface and is destination is also behind the same interface.
Hope that helps.
Thanks,
Varun
05-07-2012 12:29 AM
Thank you.
05-08-2012 01:50 PM
Hi Varun,
Why would you need to PAT the inside interface.
Please could you give a example?
Thanks
05-08-2012 02:22 PM
Hi John,
Its not a necessary config, but just a way to make sure the clients respond to the ping requests. In some scenarios, where you have multiple subnets behind the ASA interface or where the default gateway on the clients is not the ASA, but some other L3 hop, this helps. You can also do nat exempt for that traffic, depending upon your network.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-07-2012 08:23 PM
Thank varun.
do you know how configure secondary ip address on asa (8.2)?
05-08-2012 12:03 PM
Hi Jesus,
If you are asking about configuring a secondary ip on a firewalls in failover setup, you can follow this configuration doc:
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide