Cisco ASA Routing between 2 subnets behind 'Inside' interface
I am hoping this is something trivial but am having some issues routing between two subnets behind a Cisco ASA 5510. Before I start I am aware this is less than optimal however at present we have no choice regarding this configuration.
So E0/1 is configured as the 'inside' interface with an address of 192.168.1.0/24. We also have another subnet on the inside; 192.168.15.0/24 (Accessible via router 192.168.1.180) which is configured with a static route to provide access. That router is directly connected to both subnets.
The following configuration is on the ASA:
ip address 18.104.22.168 255.255.255.248
ip address 192.168.1.254 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route inside 192.168.15.0 255.255.255.0 192.168.1.180 1
The confusing thing here is I can ping all interfaces and all devices local to those subnets (Trace route appears to check out etc) however I can do nothing else. I have a number of open ports on devices at the other end which are not visible however I can see nothing occurring on the firewall to block access.
Does anyone have any thoughts? This one has me bamboozled at the moment ...
The main problem with for example TCP connections is the fact that the ASA does not see the whole TCP connection negotiation.
Since you are running into this problem I presume the other LAN network is using the ASA as its gateway rather than the internal router? In this case when the host attempts to open the TCP connection it sends the TCP SYN packet to the ASA which then forwards this packet to the internal router and the internal router forwards this packet to the actual host in the other subnet. This host then replies with TCP SYN ACK and forwards this to the internal router which then forwards this packet directly to the host that is attempting to form the TCP connection. This host then finally responds with TCP ACK to the other host and sends this packet to the ASA and ASA drops the packet as its still expecting to see the TCP SYN ACK that now went directly to the host past the ASA.
In this situation I guess there are a few solution (of which some dont seem to be an option for you)
Move the internal router behind some other ASA interface. If no physical interfaces are available consider configuring Trunk
Have the LAN hosts use the internal router as their gateway. This probably causes unnecesary extra traffic on the LAN as everything would go through the router and then to the ASA. Then again we dont know where the routers default route is pointing, perhaps somewhere else than the ASA?
Configure TCP State Bypass on the ASA to avoid the ASA dropping the packets that dont match the normal TCP connection behaviour
I guess in your situation you would like to temporarily use the TCP State Bypass rather than make actual modifications to the existing network?
You should probably check the TCP State Bypass configuration from a Cisco document and apply it to your situation. It is pretty simple to configure.
Thanks for your detailed response, In the background I replicated the configuration on a non production system that was a bit quieter when I saw this:
%ASA-6-106015: Deny TCP (no connection) from 192.168.1.100/3389 to 192.168.15.100/58305 flags SYN ACK on interface inside
Annoyingly I came to the same conclusion as yourself shortly after I posted :) But your reply has been a big help in filling in the blanks. Anyway for completeness (And anyone else who runs into this) I did the following:
access-list tcp_bypass extended permit tcp 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0
match access-list tcp_bypass
set connection advanced-options tcp-state-bypass
set connection timeout idle 0:10:00
service-policy tcp_bypass_policy interface inside
And all is working expected. However I do need to work how how to do this pre 8.2 (The version in question is 7.2 I believe) so I'll move onto that now :)
I would suggest changing the "any" to the actual destination subnet. The other LAN subnet. Otherwise I guess this will affect ALL traffic from the LAN. Even to the external network.
As Karsten noted below, this is not an ideal solution and its actually disabling one important feature of the firewall. Best solution in these cases is to setup the network so that there are no secondary gateways inside one subnet.
I have not personally used this configuration in any production environment. Always gone with the option of changing the network setup. If its supported in 7.2 then thee configuration format should be identical to 8.2.
Hope this helps :)
Let us know if you get the setup to work on your actual network.
Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.
In a situation like this, the ASA should not be configured to be the default-gateway for your systems. Configure your internal systems in the 192.168.1.0/24 network to use the router at 192.168.1.180 as the default gateway. All other solutions will mess up the ASA with a painful NAT-configuration or disabled statefull inspection. That's really not what should be done.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...