Re: Inbound and outbound traffic at the same interface - Page 2

elecorbalan · ‎11-24-2008

Hello,

I pass default traffic from inside to outside interface. Also I have to pass inside traffic back to inside interface to get some servers. I have configured default route to outside and a route to this servers subnet to inside.

route outside 0.0.0.0 0.0.0.0 --.74.49 1

route inside --.89.192 255.255.255.192 10.0.0.1 1

I have also configured

same-security-traffic permit intra-interface

clear xlate

But traffic icmp does not pass through and I can ping the server from the firewall.

Do I forget any command?

ajanowska1 · ‎12-10-2008

Did you worked out solution, I am working on similar scenario, my inbound traffic is on same interface but the subnets are not off the firewall they are routed through firewall so the gateway is same for both subnets.

Thanks

husycisco · ‎12-10-2008

Hello Elena,

Please read my answer and description about your issue in following link.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc28b9a

Regards

ajanowska1 · ‎12-10-2008

Thanks,

We actually don't use nat and have no nat controll so I think I found solution by "same-security traffic permit" command and reviewing the access list for that interface.

Anna

SOL10 · ‎12-12-2008

hi hussycisco

im having a similar issue where i get the error "Flow is a loopback" although i have applied same-security-traffic permit intra-interface command.

here are the no nat statements:

nat (inside) 0 access-list no-nat

access-list no-nat line 11 extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat line 12 extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

here is the static route:

S 192.168.1.0 255.255.255.0 [1/0] via 172.16.1.1, inside (172.16.1.1 is ip of the ISA servers outside interface)

please find attached the network diagram.

Regards

husycisco · ‎12-12-2008

Hello Suleiman,

I am assuming you get this "flow is a loopback" error when you try to reach webserver from 192.168.1.97 or vice versa. This issue is the same with the one I described in above link. Thats why you shouldnt use exempt nat, assuming that your webserver's gateway is ASA. Please post your entire NAT and global statemens in firewall then let me advise accordingly.

But for security best practises, I highly recommend you to move webserver to another interface of ASA like DMZ, if you dont have a physical interface for achieving this, create a virtual sub-interface.

Regards

SOL10 · ‎12-12-2008

hi husayn

yes it is when i try to access webserver from my pc (192.168.1.97). As per diagram the 192.168 network is behind the ASA and the 172.16. in the perimeter between ASA and ISA. the default gateway for weberservers is inside interface of ASA 172.16.1.254 but for traffic to pass between webservers and 192.168 N/W there is a static route on webservers as follows:

192.168.1.0 255.255.255.0 via 172.16.1.1 (ISA server outside interface) which works as present but i want to move away from this.

here are the nat statements and global

global (outside) 1 81.144.x.x netmask 255.255.255.240

nat (inside) 0 access-list no-nat

nat (inside) 1 172.16.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

S 0.0.0.0 0.0.0.0 [1/0] via 81.144.x.x, outside

S 192.168.1.0 255.255.255.0 [1/0] via 172.16.1.1, inside

THanks

husycisco · ‎12-12-2008

Suleiman,

What is the model of your ASA?

Do you have a free available physical interface and adequate license to run it?

Does your license support virtual interfaces?

Is there a switch connecting webserver+ASA inside interface and ISA?

Are there any other clients in between ASA and ISA other than webserver?

SOL10 · ‎12-12-2008

husayn,

its an ASA5510

no free interfaces available and no support for virtual interfaces

yes there is a switch (3com)

No otther clients between asa and ISA.

What are you sugesting i should do? please bear in mind that we cant move from the physical set up.

Regards

husycisco · ‎12-12-2008

Suleiman,

The simplest solution would be the following

In command prompt of Webserver, enter the following command

route add -p 192.168.1.0 mask 255.255.255.0 172.16.1.1

By above command, Webserver will still be protected from outside (internet) by ASA, but traffic wont pass through ASA when traffic is between inside network and Webserver. Thus, ISA will be responsible about the security between Webserver and inside network, not ASA. So I suggest creating an ACL in ISA blocking any traffic initiated by Webserver, but letting the return traffic of 192.168.1.0/24 network pass statefully.

I think there is an alternative scruffy workaround which lets ASA play in, but I suggest the one above, cleaner.

Regards

SOL10 · ‎12-12-2008

husayn

thanks.

thats what ive already got in place at the moment, hence wanting to move away from that. Am i right in saying that if there were a router between ASA and ISA this would be possible?

Regards

husycisco · ‎12-12-2008

Suleiman,

As I previously mentioned, it is possible, but a scruffy workaround, I dont think that takes place in documentations. Here is what you have to do.

no access-list no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 host 172.16.1.136

no access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list PNat permit ip host 172.16.1.136 192.168.1.0 255.255.255.0

static (inside,inside) 172.16.1.140 access-list PNat

Now inside hosts can connect webserver at 172.16.1.140 ip address. If a host record exists in DNS server for webserver, change its IP address from 172.16.1.136 to 172.16.1.140

Dont forget to remove the route you manually entered in webserver