Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Routing Question

Hi guys, I have an issue here hopefully you can point me in the right direction.

We have a router (dmz_int172.x.x.4) on our DMZ network that has a VPN to a remote site. On that remote site is a system (int_172.17.x.x) we access using telnet, port 23.

Currently our clients connect via a MS firewall client redirecting that telnet traffic to our ISA server (internal_int 192.168.x.x, dmz_int172.x.x.10) which then routes traffic for 172.17.x.x to the dmz router.

I would like to decommission our ISA server and handle this via our default gateway ASA 5510. (internal_int 192.168.x.x, dmz_int 172.x.x.1, external int 116.x.x.x)

I need to route the traffic hitting its internal interface heading for 172.17.x.x to 172.x.x.4

I have tried this with the following:

route dmz_int 172.17.x.x 255.255.255.255 172.x.x.4 1 ?

When i examine the logs using the real time log viewer i am seeing connection attempts being made from the clients to 172.17.x.x but then SYN timouts and the connection attempt being torndown.

Teardown TCP connection 253464804 for dmz_int:172.17.x.x/23 to inside_int:192.168.x.x/60921 duration 0:00:30 bytes 0 SYN Timeout

Unfortunately I do not have any visibility into the router at 172.x.x.4 to check the logs to see if connections are getting that far.

I am probably missing something simple, if anyone can lend a hand it would be much appreciated!

5 REPLIES
Super Bronze

ASA Routing Question

Hi,

I am not sure if I can understand the whole topology of the network completely but the first thing that came to my mind is naturally the fact that you are probably using a L2L VPN that connects 2 different sites. Is the source address visible to the VPN router the same or from the same network in both cases?

I mean it might be that with the different setup the connections are coming to the VPN router with a wrong source address that doesnt match the VPN rules and therefore ends in SYN Timeout.

- Jouni

New Member

ASA Routing Question

Hi Youni, thanks for taking the time to respond!

Yes, this could be the problem I think. Could I NAT the connections hitting the internal interface of the ASA to appear as if they are coming from the old external interface of the ISA server (172.x.x.10), sending them out of the dmz interface 172.x.x.1 and still route them to the next hop 172.x.x.4?

Super Bronze

ASA Routing Question

Hi,

I wouldnt suggest that. You cant have the same IP address used on 2 different devices at the same time. You would start facing problems with traffic forwarding.

As you said I guess you dont have access to the router that does the VPN so we cant really confirm what the VPN settings are.

Usually though I would imagine that whole networks/subnets are defined as the source address for a L2L VPN connection. So you might be able to NAT to some free IP address on that same network and see if the connections go through.

Naturally this isnt the best approach. It would be better to have the exact information about your network setup and naturally the VPN configurations also to be able to tell what is required for the connections to work.

- Jouni

New Member

Re: ASA Routing Question

Thanks Youni - in terms of syntax Im wondering how I might manage that:

Would I need both of these statements:

nat(inside,dmz) source static "orig_internal_network_object" "new_mapped_source_address_obj" destination static "Adelaide_RFS" "Adelaide_RFS"

route dmz_int 172.17.x.x 255.255.255.255 172.x.x.4 1

When the packet arrives at the internal_int of the ASA, does NAT occur first. Then as the Adelaide_RFS destination obj matches the 172.17.x.x route statement the packet would be passed to 172.x.x.4 by the dmz_int ?

Super Bronze

Re: ASA Routing Question

Hi,

Are you doing Static Policy NAT for a single host with the above configuration?

Or would you be doing Dynamic Policy NAT for several hosts on the "inside" network?

Normally the format for Dynamic Policy PAT/NAT would be

nat (inside,dmz) source dynamic destination static

In either case I think the NAT configuration will decide the interface to which the traffic is to be forwarded. With the "packet-tracer" command you will first see a "UN-NAT" Phase which basically states what interface is chosen towards the destination network.

Though again, I am not sure if the above would work in your setup. I mean there is no problem with the configuration format. There might still be some other NAT configurations on your device that might override this unless you enter this NAT command in the right place

- Jouni

129
Views
0
Helpful
5
Replies