Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

allowing entry and exit of a packet through the same interface (asa 5500)

Can anyone help me with a big question I have.


pc test:

ip: 192.68.5.100/24

default: 192.168.5.2


ASA firewall:

firewall (ASA 5500 Series): 192.168.5.2 (interface 0/0 inside)

Routing 1: 192.168.3.0/24 gw 172.10.10.1

Routing 2: 192.168.3.100/32 gw 192.168.5.1


router:

ip: 192.168.5.1


I explain what I want to do, as you can see the "test PC" tries to connect to the192.168.3.100 ip packet should go to the "router" by the action of "ruteo2".Since this action in the ASA log tells me that the package is removed.


What you want to do is allow the packet through the interface0 / 0 (inside) and exit the package through the same interface interface0 / 0 (inside)

12 REPLIES
Red

allowing entry and exit of a packet through the same interface (

What is the ASA code that you are using?? If it is pre 8.2, then you would need:

nat (inside) 10 192.68.5.100 255.255.255.255

global (inside) 10 interface

static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

and this should work,

Let me know if you are using code 8.3 or higher, the config would be different in that case.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

allowing entry and exit of a packet through the same interface (

The version is:

Version 8.2(4)

Red

allowing entry and exit of a packet through the same interface (

You can try the config then that I have you.

Thanks, Varun Rao Security Team, Cisco TAC
New Member

allowing entry and exit of a packet through the same interface (

that is correct:

static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed

Red

allowing entry and exit of a packet through the same interface (

Hi Jesus,

Yes that statement is correct, since you're destination also lies behind the same interface behind whihc the source is.

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

allowing entry and exit of a packet through the same interface (

Hi Varun,

can u explain me briefly . since network lies behind the same interface. which is sourece.But pbr is not supported by asa.

Please explain me with a scenario

Red

allowing entry and exit of a packet through the same interface (

Hi Prashant,

this is not PBR, we are just routing packets on the ASA based on the nat statements.

                                                            ASA

                                                           /       \

                                                          /         \

                                                         /           \

                                                      host A       host B

Now just take the example, where host A is trying to access host B through RDP, then what you would first need is the command:

same-security-traffic permit intra-interface

This would enable the ASA capability to route the traffic back into the same interface from where it originated.

Then, you would need to create a nat for the source traffic as well:

nat (inside) 1 0.0.0.0 0.0.0.0

global (inside) 1 interface

which means, if the traffic is coming from inside and want to be routed back in, then it would be patted with the inside interface.

Now you would need to nat the destination as well (if nat control enabled):

static (inside,inside) 192.168.3.100 192.168.3.100 norand nailed

because the source and destination of the packet are both inside interface.

sysopt noproxyarp inside (so that ASA doesn't proxy arp for any internal IP's)

PBR is different and it is routing done on the basis of a specific source and destination, we are here just hair-pinning the traffic, which is originated behind an interface and is destination is also behind the same interface.

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

allowing entry and exit of a packet through the same interface (

Thank you.

New Member

allowing entry and exit of a packet through the same interface (

Hi Varun,

Why would you need to PAT the inside interface.

Please could you give a example?

Thanks

Red

allowing entry and exit of a packet through the same interface (

Hi John,

Its not a necessary config, but just a way to make sure the clients respond to the ping requests. In some scenarios, where you have multiple subnets behind the ASA interface or where the default gateway on the clients is not the ASA, but some other L3 hop, this helps. You can also do nat exempt for that traffic, depending upon your network.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

allowing entry and exit of a packet through the same interface (

Thank varun.

do you know how configure secondary ip address on asa (8.2)?

Red

allowing entry and exit of a packet through the same interface (

Hi Jesus,

If you are asking about configuring a secondary ip on a firewalls in failover setup, you can follow this configuration doc:

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Hope that helps.

Thanks,

Varun Rao

Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
865
Views
8
Helpful
12
Replies