Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
5
Replies

ASA Routing Question

Nick Currie
Level 1
Level 1

‎07-07-2013 11:37 PM - edited ‎03-11-2019 07:08 PM

Hi guys, I have an issue here hopefully you can point me in the right direction.

We have a router (dmz_int172.x.x.4) on our DMZ network that has a VPN to a remote site. On that remote site is a system (int_172.17.x.x) we access using telnet, port 23.

Currently our clients connect via a MS firewall client redirecting that telnet traffic to our ISA server (internal_int 192.168.x.x, dmz_int172.x.x.10) which then routes traffic for 172.17.x.x to the dmz router.

I would like to decommission our ISA server and handle this via our default gateway ASA 5510. (internal_int 192.168.x.x, dmz_int 172.x.x.1, external int 116.x.x.x)

I need to route the traffic hitting its internal interface heading for 172.17.x.x to 172.x.x.4

I have tried this with the following:

route dmz_int 172.17.x.x 255.255.255.255 172.x.x.4 1 ?

When i examine the logs using the real time log viewer i am seeing connection attempts being made from the clients to 172.17.x.x but then SYN timouts and the connection attempt being torndown.

Teardown TCP connection 253464804 for dmz_int:172.17.x.x/23 to inside_int:192.168.x.x/60921 duration 0:00:30 bytes 0 SYN Timeout

Unfortunately I do not have any visibility into the router at 172.x.x.4 to check the logs to see if connections are getting that far.

I am probably missing something simple, if anyone can lend a hand it would be much appreciated!

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎07-07-2013 11:46 PM

Hi,

I am not sure if I can understand the whole topology of the network completely but the first thing that came to my mind is naturally the fact that you are probably using a L2L VPN that connects 2 different sites. Is the source address visible to the VPN router the same or from the same network in both cases?

I mean it might be that with the different setup the connections are coming to the VPN router with a wrong source address that doesnt match the VPN rules and therefore ends in SYN Timeout.

- Jouni

0 Helpful

Nick Currie
Level 1
Level 1
In response to Jouni Forss

‎07-08-2013 12:03 AM

Hi Youni, thanks for taking the time to respond!

Yes, this could be the problem I think. Could I NAT the connections hitting the internal interface of the ASA to appear as if they are coming from the old external interface of the ISA server (172.x.x.10), sending them out of the dmz interface 172.x.x.1 and still route them to the next hop 172.x.x.4?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Nick Currie

‎07-08-2013 12:22 AM

Hi,

I wouldnt suggest that. You cant have the same IP address used on 2 different devices at the same time. You would start facing problems with traffic forwarding.

As you said I guess you dont have access to the router that does the VPN so we cant really confirm what the VPN settings are.

Usually though I would imagine that whole networks/subnets are defined as the source address for a L2L VPN connection. So you might be able to NAT to some free IP address on that same network and see if the connections go through.

Naturally this isnt the best approach. It would be better to have the exact information about your network setup and naturally the VPN configurations also to be able to tell what is required for the connections to work.

- Jouni

0 Helpful

Nick Currie
Level 1
Level 1
In response to Jouni Forss

‎07-08-2013 12:31 AM

Thanks Youni - in terms of syntax Im wondering how I might manage that:

Would I need both of these statements:

nat(inside,dmz) source static "orig_internal_network_object" "new_mapped_source_address_obj" destination static "Adelaide_RFS" "Adelaide_RFS"

route dmz_int 172.17.x.x 255.255.255.255 172.x.x.4 1

When the packet arrives at the internal_int of the ASA, does NAT occur first. Then as the Adelaide_RFS destination obj matches the 172.17.x.x route statement the packet would be passed to 172.x.x.4 by the dmz_int ?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Nick Currie

‎07-08-2013 12:48 AM

Hi,

Are you doing Static Policy NAT for a single host with the above configuration?

Or would you be doing Dynamic Policy NAT for several hosts on the "inside" network?

Normally the format for Dynamic Policy PAT/NAT would be

nat (inside,dmz) source dynamic destination static

In either case I think the NAT configuration will decide the interface to which the traffic is to be forwarded. With the "packet-tracer" command you will first see a "UN-NAT" Phase which basically states what interface is chosen towards the destination network.

Though again, I am not sure if the above would work in your setup. I mean there is no problem with the configuration format. There might still be some other NAT configurations on your device that might override this unless you enter this NAT command in the right place

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card