We're trying to decipher/improve a network infrastructure which we've inherited from a previous admin who could best be described as "keen, but with a complete disregard for documentation"
Whilst this is ongoing, we need to permit remote access for an external third party. External connections come in via a low-end Netgear firewall, to the server needing accessed and then out again via an ASA. Clearly this is assymetric routing, which I've got a handle on when it comes to ASAs in a group/failover setup, but the traffic is coming from a non-ASA.
We know this is possible because that's exactly how we are accessing these servers ourselves, so our IP address has been set up to do this properly. We can see the "built outbound TP connection" entry for our remote IP address when we connect, but when we connect from another remote IP address we see the "Deny TCP (no connection)" entries.
Our external IP address seems to have been explicitly permitted to go this assymetric route, but so far we've not been able to find out where. How do we go about adding other addresses to this capability?
The external address being connected to points to the SOHO firewall and NAT points it to the server. The server's default gateway is the ASA. When we connect from our office the traffic is allowed through. When we connect from any other site/address the traffic is blocked at the ASA with "Deny TCP (no connection)" log entries. Our office IP address has been added somewhere in the ASA config to permit the traffic to pass, but I cannot for the life of me find it.
The simple fix would be to reassign the SOHO firewall as the default gateway for the server, but there are other reasons for not doing that (partly that it will be removed as part of an infrastructure reorg). The longer term aim is to have all traffic going via the ASA, but for the moment we just need to get this issue fixed.
This site needs a "face palm" smiley. I've been over-thinking it. The previous guy had taken the quick and dirty fix of adding a persistent route to each of the internal servers so that if accessed from permitted external addresses the default gateway was the SOHO firewall. It's all working fine now that I've added in the new addresses on the server. Now we just need to work out how to tidy the infrastructure up and do it properly.
Hey, great to see that you got things up and working, I also want to apologize for not getting back to you but my weekend started this Friday and had personal agenda setup. Hopefully if you need further assistance you can still think of the forum as a helping hand.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...