Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Routing

HI,

I have a few public facing interfaces on an ASA and have found that when a connection comes in through an interface that isn't the default route for the ASA, I get an error stating that no route to x.x.x.x from x.x.x.x (interface).

When I add in a static route on the ASA to the destination and route it out over the public interface the traffic came in on, the connections work.

I don't want to go down the road of static routes and know this works on other firewalls.

I have come across "trombone" to force traffic back out the same interface it came in on and would really appreciate some help with this.

I have an ASA 5510 7.2

9 REPLIES
Gold

Re: ASA Routing

is the following command enabled:

ip verify reverse-path

it's disabled by default.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1729583

Re: ASA Routing

Is it possible to route the return traffic coming from an interface say management 0/0 back via the same interface without applying a route ?

example

inside ip 192.168.0.1/24

mgmt ip is 192.168.100.1/24

default inside route is via INSIDE interface

route inside 192.16.0.0 255.255.0.0 192.168..1

i want packets that come to management interface back via management interface

( THis is for management traffic )

New Member

Re: ASA Routing

Answering Anand's question above, it is not possible to route back the same interface if route is missing. Correct routing rules still need to be present. However, it's a different thing if the destination IP address is on directly connected interface.

=======

Coming to the original issue, do you get the syslog message "110001"? If this is the case, then it simply means that you are missing route for the destination network.

Does it happen for all the traffic (except the traffic that enters the default route interface)? I don't think that would be the case.

Could you please confirm if you are trying to do "u-turning" on ASA meaning that traffic needs to enter and exit the same interface? If that's the case, we need to have correct nat/global/static/route statements along with the command "same-security-traffic permit intra-interface"

New Member

Re: ASA Routing

HI Thanks for the response.

It happens when ftp traffic is coming in-bound and the same for rdp over the extra public interface. I also tried ssl and it comes up with the no route error.

It looks like u-turning will only work to get the ftp and rdp established and they only worked when I added in the static routes back to the sites that were coming in over the interface.

I am using pat from the internal to the outside and my static translations work when the routes are added in. I already have the same-security-traffic permit.

I will check out the logging message tomorrow.

On the previous Sonicwall you could add in default gateways per interface so when traffic came in that interface it knew to send responses back out to the gateway you had set on the interface.

The routing table on the Sonicwall had a secondary default gateway and handled the traffic that way.

New Member

Re: ASA Routing

I am still not 100% clear with what exactly are we trying to do, but let me give you an example of what is needed on PIX if we need to do u-turning:

--(out)PIX(in).1-----192.168.1.0/24---.2(ROUTER).1--192.168.2.0/24--

In the above diagram, network directly connected to PIX is 192.168.1.0/24 and network behind the inside router is 192.168.2.0/24. Default Gateway for 192.168.1.0 is 192.168.1.1 - PIX's inside interface

192.168.1.0 needs to access 192.168.2.0

Here are the commands we need to put on PIX in such case:

route inside 192.168.2.0 255.255.255.0 192.168.1.2

nat (inside) 1 0 0

global (inside) 1 interface

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

same-security-traffic permit intra-interface

However, even with above commands, u-turning will work only one-way i.e 192.168.1.0 will be able to initiate communication to 192.168.2.0 but 192.168.2.0 will not be able to initiate communication to 192.168.1.0

I hope that helps..

New Member

Re: ASA Routing

If you have an inside router you don't need to do all that. The default gateway for any host in 192.168.1.0 should be the inside router 192.168.1.2, then in the inside router you will have a default route pointing to the PIX inside interface 192.168.1.1. In the PIX you will have a route for network 192.168.2.0 pointing to 192.168.1.2. No NAT for inside hosts.

New Member

Re: ASA Routing

rigoberto is correct above and that would be a better option (to change the default gateway to router). However, there can be cases where customer does not have the option of changing the default gateway to point it to the router if it's a big inside network. If that's the case (i.e the default gateway for inside network has to be PIX), then we need the above mentioned commands. Also, make sure you are running code 7.2.1 or above on ASA, otherwise, u-turning for clear-text traffic will not work.

Re: ASA Routing

I already have an inside router. IP is 192.168.1.2

the default route inside is pointing to 192.168.1.2

The inside ip 192.168.0.1/24

The mgmt ip is 192.168.100.1/24

But the issue is have other networks inside .....

like 192.168.2.0, 192.168.3.0, 192.168.200.0 etc

when i try to accesss the management ip 192.168.100.0 network, the outgoing packet hits the management directly via my LAN router. But the return packet tries to come via the inside interface due to the default

route inside ..

i want the return packet for management traffic alone from 192.168.200.0 etc to come back via the management interface. is this possible ?

If i try to access the management interface from my LAN

New Member

Re: ASA Routing

You have more or less the same issue as me...the asa will send traffic out its default gateway when it doesn't know a route to the destination which is fair enough but not great when the likes of Sonicwall give you the option to put a gateway on an interface and that would solve both our problems.

When your mgt pc connects to the mgt interface the default route on the interface would send the reply back to where ever you specify.

There has to be someway of doing this on the ASA????

452
Views
0
Helpful
9
Replies