Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
5
Replies

Having a hard time understanding a piece of existing configuration

Go to solution
Tony Curk
Level 1
Level 1

‎10-24-2016 10:19 AM - edited ‎03-08-2019 07:54 AM

Hi,

I'm having a hard time understanding a piece of existing configuration that exists in one of my customer’s networks.

The PC (10.0.0.10) is able to reach the server on IP Address 192.168.30.100 over the L2L Tunnel even though the only reference 'Cisco ASA 3' has to the subnet is a static route and a static NAT rule.

The Communication Works both ways, both devices can initiate a session.

Is here someone smarter than me that can point me in the right direction on what’s going on here, I'd like to read up on it, is this type of configuration called something in particular?

 

Regards,

Tony Curk

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cisco Freak
Level 4
Level 4
In response to Tony Curk

‎10-24-2016 10:54 AM

ASA2(172.16.0.254) send the packets destined to 192.168.30.100 to Switch(172.16.0.1).

The switch then forwards that packet to ASA3(172.16.0.100). This is because its got a more precise /32 static route over the /24 connected router. Length of the route make the difference here.

CF

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Cisco Freak
Level 4
Level 4

‎10-24-2016 10:37 AM

When the traffic from PC to Server hits the ASA3 with a destination IP of 192.168.30.100, then the following event happens:

1) If the ACL permits traffic from the outside interface to inside interface, then the destination IP will be NATed to 10.20.30.100/32

2) Then ASA will try to route the packet. ASA has a connected interface in that VLAN: 10.20.30.0/24. So ASA will ARP for that IP 10.20.30.100 and then will send the packet directly to that server.

CF

0 Helpful

Go to solution
Tony Curk
Level 1
Level 1
In response to Cisco Freak

‎10-24-2016 10:48 AM

But what happens in the Switch? Isn't a local connected subnet preferred before a host route?

//T

0 Helpful

Go to solution
Cisco Freak
Level 4
Level 4
In response to Tony Curk

‎10-24-2016 10:54 AM

ASA2(172.16.0.254) send the packets destined to 192.168.30.100 to Switch(172.16.0.1).

The switch then forwards that packet to ASA3(172.16.0.100). This is because its got a more precise /32 static route over the /24 connected router. Length of the route make the difference here.

CF

0 Helpful

Go to solution
Tony Curk
Level 1
Level 1
In response to Cisco Freak

‎10-24-2016 10:58 AM

So it's that easy..

I would have added an interface in Subnet_B on the Firewall. Never firgured you could do NAT for non connected subnets in the ASA.  

0 Helpful

Go to solution
Cisco Freak
Level 4
Level 4
In response to Tony Curk

‎10-24-2016 11:05 AM

Yes!

Please mark this thread as closed if all your queries are cleared.

CF

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card