09-10-2013 01:14 AM - edited 03-11-2019 07:36 PM
Good day!
Can any one please give me some advice, how to solve this problem. In our topology i've
This is tunnel topology
(192.168.1.0/24) HQ with 2911 (GRE TUNNEL) (10.10.100.1) ---- (GRE TUNNEL) (10.10.100.1) Remote Office with 2901 (10.20.36.0/24)
Also in remote office i've ASA5505 - which is a default gateway for devices in remote office. Routing - is OK between offices, cause icmp goes without a problem. But when i try to ssh from HQ to remote office (another devices) - session didnt establish.
I've entered this command
same-security-traffic permit intra-interface
but nothig happens. Dont know where can be the problem, also i've applied this ACL -
access-list ALLOW_LAN extended permit ip any any
to inside interface, but it still didnt solve the problem
Can you point me, where can be the problem?
Solved! Go to Solution.
09-15-2013 08:56 AM
Hi,
Seems to me that you have Asymmetric routing. This will essentially result in the fact that the 10.20.36.0/24 site ASA will not see the complete TCP conversation between the host on the 2 sites. This will mean that the ASA will block these TCP connections because it has not seen all the packets when the TCP connections is brought up.
What I mean is that is that when host on network 192.168.1.0/24 connects to network 10.20.36.0/24 with a TCP connection the following happens
One solution would be to configure TCP State Bypass but to me this is more of a workaround which could instead be handled by modifying the whole network layout.
Here is a link to a document describing it
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
I would rather change the network setup so that I would connect the router 10.20.36.2 to the ASA firewall on that site. Naturally you would have to change the network between the Router and the ASA to something else. What this would do is that any traffic between networks 192.168.1.0/24 and 10.20.36.0/24 would have to always pass the ASA and you wouldnt run into the problem I mentioned above. This would naturally also give you the change to control the traffic between the sites better.
Hope this helps
- Jouni
09-10-2013 09:11 AM
Hello,
From where to where are you trying to connect,
Provide a detail diagram specificing Source IP adresses and destination ip addresses
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-13-2013 06:57 AM
Here is my topology. So, where can be the problem? Can anyone tell please. Icmp packets from 192.168.1.0/24 to 10.20.36.0 goes with out ant problem, but all tcp, udp traffic doesn't...
09-15-2013 08:56 AM
Hi,
Seems to me that you have Asymmetric routing. This will essentially result in the fact that the 10.20.36.0/24 site ASA will not see the complete TCP conversation between the host on the 2 sites. This will mean that the ASA will block these TCP connections because it has not seen all the packets when the TCP connections is brought up.
What I mean is that is that when host on network 192.168.1.0/24 connects to network 10.20.36.0/24 with a TCP connection the following happens
One solution would be to configure TCP State Bypass but to me this is more of a workaround which could instead be handled by modifying the whole network layout.
Here is a link to a document describing it
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
I would rather change the network setup so that I would connect the router 10.20.36.2 to the ASA firewall on that site. Naturally you would have to change the network between the Router and the ASA to something else. What this would do is that any traffic between networks 192.168.1.0/24 and 10.20.36.0/24 would have to always pass the ASA and you wouldnt run into the problem I mentioned above. This would naturally also give you the change to control the traffic between the sites better.
Hope this helps
- Jouni
09-23-2013 05:51 AM
Yes, you are right. I've enabled TCP State Bypass and applied rull to internal hosts and problem was solved
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: