Hi Richard,

Until installing the ASA for VPN remote access, the network was a simple, isolated, 24-bit static network and had no reason for a router.

Surely the ASA can handle basic routing without a router in between? I only talking about an RDP connection between two hosts on the same subnet?

Hi Clive,

see this link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration85/guide/asa_cfg_cli_85/interface_complete_routed.html#wp1325183

to allow hosts to communicate with each other on the same interface you need following command

"same-security-traffic permit intra-interface "

Hi Dennis, Richard,

I have now issued the command:

same-security-traffic permit intra-interface

as suggested by Richard.

Ok so all 'inside' hosts (around 30) are on a small, isolated network with the same subnet, 192.168.255.0/24. All hosts are networked on a basic unmanaged switch, so there has been no gateway. Once a Windows host has had its gateway changed from [blank] to the inside of the ASA (192.168.255.254), RDP connections fail as well as other communications, but web servers are still reachable.

Clive,

Are you saying RDP fails if you RDP from one device to another on the 192.168.255.0 network, or is it from outside?

Do all devices on the 192.168.255.0 have static IP addresses or  are they DHCP? if DHCP do you use the ASA as the DHCP server?

if you do a  "show arp" on the ASA do you see your 192.168.255.x devices?

RDP fails whether connecting from the outside or inside (ie on the same 192.168.255.0 network).

All devices are static, although the ASA has been configured as a DHCP server, the DHCP address range is limited to 192.168.255.230-240, which is outside of the range of the devices concerned.

ARP shows the 192.168.255.x devices:

OK, so you RDP to the windows box that is in 192.168.255.0/24 from a machine that is in 192.168.255.0/24 as well?

Correct

OK in that case, the problem is not your firewall, or put more correctly, it should not be in the path.

If for instance, you connect to your windows machine 192.168.255.10 from 192.168.255.100 then, whatever the default gateway is on your windows machine, does not matter, because it will only need to rely on its arp table to be able to send traffic back to 192.168.255.100.

whatever is going on, I am guessing the problem is on your windows box

Hi Dennis,

Thats what I thought too, but I have proven this behaviour on two separate Windows hosts now and dont understand why a gateway would impact comms between devices on the same subnet.

I was suspicious that the traffic was in fact being routed through the gateway and that the ASA was NATting the traffic according to my NAT rules.

I will hopefully be on site tomorrow for a closer look.

does the machine you are trying to connect to the windows machine to have two IP addresses? for instance it being wired into the network and using wireless at the same time.

It would be interesting to isolate the server from the network and see if you can reproduce the problem.

HTH

There are two factors to test:

1. connectivity between two PCs with and without a default gateway setting in Windows
2. connectivity between two PCs with and without the ASA connected to the network

Post-8.3 ASA identity NAT rules are capable of affecting intra-subnet traffic if someone forgets to add no-proxy-arp option

Hi Peter,

1. connectivity between two PCs with and without a default gateway setting in Window
2. connectivity between two PCs with and without the ASA connected to the network

both configurations 1 and 2 work fine, no connectivity issues. If the ASA is disconnected but the gateway is set to 192.169.255.254 (the ASA), RDP and other services function ok. As soon as the ASA is connected, the problems start.

From the ASA inside interface (192.168.255.254) to the server:

• traceroute fails
• ping succeeds
• packet tracer of TCP/UDP port 3389 (RDP) to the inside server fails, the packet is dropped due to an implicit inside incoming access rule, even though I have an explicit inside incoming rule permitting access.

I cant figure out what is wrong with my ASA config to cause this behaviour?