I have a problem that I can not fix. We have a site with two inbound circuits, one for internet and one for our MPLS. Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall. For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts. OSPF is the routing protocol between all the routers and ASA's and routing is working. In fact, ICMP is working as well. From an inside host (172.16.0.81), we can ping anything on the MPLS network. But when I try to use telnet (for example), the connection fails. If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
Both ASAs are running 8.4(3), and have the following commands:
same-security-traffic permit intra-interface
And for now, and for testing, the MPLS ASA has this Access-List:
access-list Outside_ACL extended permit ip any any
What I have found is this, if we point directly to the MPLS ASA, connections are created successfully. When poining to the Internet ASA, only ping works and all other connection types fail to succeed (at lease TCP, have not tried udp applications). If looking on both ASA's, i see a connection made:
ASA01# show conn all
TCP inside 10.10.10.10:443 inside 172.16.0.81:56192, idle 0:00:02, bytes 0, flags SaAB
And from the MPLS nodes, I can see a tcp request is made. So i'm guessing the problem is between the ASA's?
What am I missing?
Thanks for any help,
You have asymmetric routing in your network, which is not supported with ASA firewalls.
On the way to the remote site, the packet will travel:
Host -> Internet ASA -> MPLS ASA -> MPLS router -> remote host.
But since the inside interface of the MPLS ASA is in the same subnet as the host, the packet back travels:
remote host -> MPLS router -> MPLS ASA -> host. (It skips the internet ASA).
Since the connection to the MPLS ASA was orignally build from the internet ASA, this will fail.
Ping is not a 3-way handshake, but rather the echo and echo reply are 2 seperate flows. The ASA does not by default build a connection for that (it only does if you enable ICMP inspection). Therefor ping will work. UDP will also work because of the same reason.