Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

In one firewall and out the other...

We're trying to decipher/improve a network infrastructure which we've inherited from a previous admin who could best be described as "keen, but with a complete disregard for documentation"

Whilst this is ongoing, we need to permit remote access for an external third party. External connections come in via a low-end Netgear firewall, to the server needing accessed and then out again via an ASA. Clearly this is assymetric routing, which I've got a handle on when it comes to ASAs in a group/failover setup, but the traffic is coming from a non-ASA.

We know this is possible because that's exactly how we are accessing these servers ourselves, so our IP address has been set up to do this properly. We can see the "built outbound TP connection" entry for our remote IP address when we connect, but when we connect from another remote IP address we see the "Deny TCP (no connection)" entries.

Our external IP address seems to have been explicitly permitted to go this assymetric route, but so far we've not been able to find out where. How do we go about adding other addresses to this capability?

Thanks in advance.

4 REPLIES
Silver

In one firewall and out the other...

TCP bypass would be an option but I need to understand how the network is routed and actually how you are expecting the ASA to route back.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

In one firewall and out the other...

Hopefully this quick and nasty diagram will help

The external address being connected to points to the SOHO firewall and NAT points it to the server. The server's default gateway is the ASA. When we connect from our office the traffic is allowed through. When we connect from any other site/address the traffic is blocked at the ASA with "Deny TCP (no connection)" log entries. Our office IP address has been added somewhere in the ASA config to permit the traffic to pass, but I cannot for the life of me find it.

The simple fix would be to reassign the SOHO firewall as the default gateway for the server, but there are other reasons for not doing that (partly that it will be removed as part of an infrastructure reorg). The longer term aim is to have all traffic going via the ASA, but for the moment we just need to get this issue fixed.

New Member

In one firewall and out the other...

This site needs a "face palm" smiley. I've been over-thinking it. The previous guy had taken the quick and dirty fix of adding a persistent route to each of the internal servers so that if accessed from permitted external addresses the default gateway was the SOHO firewall. It's all working fine now that I've added in the new addresses on the server. Now we just need to work out how to tidy the infrastructure up and do it properly.

Silver

In one firewall and out the other...

Hey, great to see that you got things up and working, I also want to apologize for not getting back to you but my weekend started this Friday and had personal agenda setup. Hopefully if you need further assistance you can still think of the forum as a helping hand.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
220
Views
0
Helpful
4
Replies