I am kinda new to firewalls and what i'm trying to do is the following:
One subnet for everything, ASA 5520 INSIDE 192.168.0.241 > 3560 192.168.0.240 > Several 2950 on 192.168.0.x
ASA 5520 INSIDE 192.168.0.241 >>> 3560 192.168.-0.240/2.1/5.1 (IP ROUTING enabled) >TRUNK> 2950 with 192.168.5.10 and a client with 192.168.2.100
-ASA 5520 > 3560 > Several 2950 (some in different subnets)
-I added subnets 192.168.2.x and .5.x (vlan 2/5, with ip's of .1) to the 3560 which is trunked with a 2950 that runs those 2 subnets.
-Everything in the 192.168.0.x subnet has as default gateway the ASA Inside interface (0.241).
-The new 2950 / Client have as default gateway the 3560 (5.1 and client 2.1).
-3560 has a ip route 0.0.0.0 0.0.0.0 192.168.0.241
-ASA has ip routes to 192.168.2.0 > 192.168.0.240 and 192.168.5.0 > 192.168.0.240 (which is the ip of the 3560).
I can access the internet fine (added PAT) but i cannot ping from a host in the 0.x to the 2.x etc. From the 2.100 client i can only ping the 3560 / ASA / internet but not a single other 0.x adress on the network.
Now someone told me that i cannot route traffic back on the same interface as it goes out on, but i don't think this is true. He suggested i changed all my default gateways to the 3560 IP address and yes this will probably solve it and might be the best solution, but i got curious now.
-I got a inside acl that says from any source to any less secured network, can anyone tell me that if i put this to any any if this will solve my problems?
-Even if this works, should i still consider changing all my default gateways to the 3560 instead of the firewall?
-Or should i consider doing the inter-vlan routing on the firewall instead of the 3560?
I hope it's a bit clear and if not please let me know.
> Now someone told me that i cannot route traffic back on the same interface as it goes out on
Whoever told you that is true in a sense because that is indeed the default behvior of the ASA. In order to allow that, you will need the command:
same-security-interface permit intra-interface
Also, since you have an access-list on the ASA's interface, you will also need to allow traffic from the 0.x to 2.x subnet explicitly.
Now, if we look at the packet flow when a host say 0.10 tries to ping 2.100, this first goes to the ASA, then to the 3560 and 2950 and then finally to 2.100 host. When this host sends the reply, this packet is going to go to the 2950, the 3560 and then to the 0.10 host directly and does not go the ASA. Hence, the ASA sees only one direction of traffic and not both (Asymmetric Routing). Assuming we don't have "inspect icmp", then because of this, we will be able to ping successfully but none of the TCP connections will work fine because of 2 reasons:
1) ASA randomizes sequence numbers.
2) ASA does a statefulness check for every TCP packet.
We need to disable to above two features as well on the ASA for this particular flow. Prior to 8.2, this is done using a static command as below:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :