Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
4
Replies

Issue with same interface ASA

Go to solution
Dmitri Popkov
Level 1
Level 1

‎09-10-2013 01:14 AM - edited ‎03-11-2019 07:36 PM

Good day!

Can any one please give me some advice, how to solve this problem. In our topology i've

This is tunnel topology

(192.168.1.0/24) HQ with 2911 (GRE TUNNEL) (10.10.100.1) ---- (GRE TUNNEL) (10.10.100.1) Remote Office with 2901 (10.20.36.0/24)

Also in remote office i've ASA5505 - which is a default gateway for devices in remote office. Routing - is OK between offices, cause icmp goes without a problem. But when i try to ssh from HQ to remote office (another devices) - session didnt establish.

I've entered this command

same-security-traffic permit intra-interface

but nothig happens. Dont know where can be the problem, also i've applied this ACL -

access-list ALLOW_LAN extended permit ip any any

to inside interface, but it still didnt solve the problem

Can you point me, where can be the problem?



Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dmitri Popkov

‎09-15-2013 08:56 AM

Hi,

Seems to me that you have Asymmetric routing. This will essentially result in the fact that the 10.20.36.0/24 site ASA will not see the complete TCP conversation between the host on the 2 sites. This will mean that the ASA will block these TCP connections because it has not seen all the packets when the TCP connections is brought up.

What I mean is that is that when host on network 192.168.1.0/24 connects to network 10.20.36.0/24 with a TCP connection the following happens

  • Host 192.168.1.100 connecs to host 10.20.36.100 by sending TCP SYN
  • The TCP SYN goes through the sites and arrives on the other sites Router which then forwards it directly to host 10.20.36.100
  • Host 10.20.36 sends TCP SYN ACK to its default gateway (ASA) because the destination is in a remote network (network other than the network where this host resides)
  • ASA sees the TCP SYN ACK from host 10.20.36.100 but as it has not seen the original TCP SYN from host 192.168.1.100 it drops the packet and the TCP connection never forms.

One solution would be to configure TCP State Bypass but to me this is more of a workaround which could instead be handled by modifying the whole network layout.

Here is a link to a document describing it

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

I would rather change the network setup so that I would connect the router 10.20.36.2 to the ASA firewall on that site. Naturally you would have to change the network between the Router and the ASA to something else. What this would do is that any traffic between networks 192.168.1.0/24 and 10.20.36.0/24 would have to always pass the ASA and you wouldnt run into the problem I mentioned above. This would naturally also give you the change to control the traffic between the sites better.

Hope this helps

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-10-2013 09:11 AM

Hello,

From where to where are you trying to connect,

Provide a detail diagram specificing Source IP adresses and destination ip addresses

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Dmitri Popkov
Level 1
Level 1
In response to Julio Carvajal

‎09-13-2013 06:57 AM

Here is my topology. So, where can be the problem? Can anyone tell please. Icmp packets from 192.168.1.0/24 to 10.20.36.0 goes with out ant problem, but all tcp, udp traffic doesn't...

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dmitri Popkov

‎09-15-2013 08:56 AM

Hi,

Seems to me that you have Asymmetric routing. This will essentially result in the fact that the 10.20.36.0/24 site ASA will not see the complete TCP conversation between the host on the 2 sites. This will mean that the ASA will block these TCP connections because it has not seen all the packets when the TCP connections is brought up.

What I mean is that is that when host on network 192.168.1.0/24 connects to network 10.20.36.0/24 with a TCP connection the following happens

  • Host 192.168.1.100 connecs to host 10.20.36.100 by sending TCP SYN
  • The TCP SYN goes through the sites and arrives on the other sites Router which then forwards it directly to host 10.20.36.100
  • Host 10.20.36 sends TCP SYN ACK to its default gateway (ASA) because the destination is in a remote network (network other than the network where this host resides)
  • ASA sees the TCP SYN ACK from host 10.20.36.100 but as it has not seen the original TCP SYN from host 192.168.1.100 it drops the packet and the TCP connection never forms.

One solution would be to configure TCP State Bypass but to me this is more of a workaround which could instead be handled by modifying the whole network layout.

Here is a link to a document describing it

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

I would rather change the network setup so that I would connect the router 10.20.36.2 to the ASA firewall on that site. Naturally you would have to change the network between the Router and the ASA to something else. What this would do is that any traffic between networks 192.168.1.0/24 and 10.20.36.0/24 would have to always pass the ASA and you wouldnt run into the problem I mentioned above. This would naturally also give you the change to control the traffic between the sites better.

Hope this helps

- Jouni

0 Helpful

Go to solution
Dmitri Popkov
Level 1
Level 1
In response to Jouni Forss

‎09-23-2013 05:51 AM

Yes, you are right. I've enabled TCP State Bypass and applied rull to internal hosts and problem was solved

Thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card