cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1789
Views
13
Helpful
12
Replies

Routing issues with ASA 5520

talha_490
Level 1
Level 1

The detailed network diagram is attached. the default gateway of the inside servers is ASA 5520.

PROBLEM:

Traffic coming from XYZ Branch to the scorpio and alpha server when reach the server, they send back the packet to their gateway which is ASA 5520. traffic when coming to asa is dropped and not reaching back to XYZ LAN.

however following configuration tasks have been done on pix firewall.

1. the static route is configured on ASA 5520 that the traffic destined to the lan of XYZ site, the next hop will be 172.25.1.200 which is router fast ethernet interface.

2.the access-list is configured on the inside of pix firewall allowing all the traffic originating from inside and destined to the XYZ Branch LAN.

3. the nat 0 is configured for the traffic originating from insdie of pix firewall to the XYZ site LAN

Question:

what configuration task has to be configured on pix firewall or other devices to sort out this routing issue.

12 Replies 12

Fernando_Meza
Level 7
Level 7

Hi make sure you enable intra interface traffic

same-security-traffic permit intra-interface

I hope it helps .. please rate it if it does !!

this command i have already enabled. u can see the configuration

a.kiprawih
Level 7
Level 7

For scorpio and alpha servers, they cannot use ASA5520 as gateway as PIX not know & support traffic re-direction/re-routing like router. They should instead, point to Router's FastEthernet 172.25.1.200 as gateway.

BTW, do you need to allow traffic from XYZ to start/initiate connection to Inside servers (mail relay,DNS, web components server) or only Inside servers need to start the session?

As for additional configuration, make sure the router has route to Inside segment (192.168.1.0/24) via PIX Active IP Address (assuming PIX running Active/Standby).

HTH

AK

dear AK,

the session will be originated from xyz accessing the servers. moreover internet users are also accessing the scorpio and alpha entering through asa 5520.

well router has a default route poiting to the inside interface of pix firewall

s_bharath2
Level 1
Level 1

Hi,

I suspect anti spoofing problem.You can enable RPF with the following configuration command:

Firewall(config)# ip verify reverse-path interface if_name

Just for AK ..

what do you mean by .." For scorpio and alpha servers, they cannot use ASA5520 as gateway as PIX not know & support traffic re-direction/re-routing like router. They should instead, point to Router's FastEthernet 172.25.1.200 as gateway. ..?"

I am still thinking that the issue is the ASA unable to route the traffic back to the router on the same inside interface because the intra-interface feature is not enabled .. I am curious about what you said above but I am not very sure what you mean .. can you please clarify it ..?

dear fernando,

intra-interface command is already enable. you can go through the config.

Question:

what configuration task has to be configured on pix firewall or other devices to sort out this routing issue.

1. Configure your router (here we called Router X) hosting serial links to XYZ branch with default route to PIX/ASA inside interface of 172.25.1.1 or Active/Primary Firewall IP

ip route 0.0.0.0 0.0.0.0 172.25.1.1

2. Set gateway (GW) for Alpha, Scorpio and other server to Router X fastethernet on the same segment, which is 172.25.1.200

You can used 1 workstation to test this as well.

When traffic from XYZ branch hit Alpha, Scorpio & other servers, these servers are be able to reply back to XYZ hosts via their new gateway as Router X hosted and already know where to send this traffic to (exist in route table as well).

The initial problem happened when Firewall (PIX/ASA) was used as GW, the returned-traffic failed to reach XYZ destination as these servers point to Firewall to route the traffic. But since firewall does not support traffic re-routing (intelligently re-direct back to Router X) like router, it will just throw them to default route (internet router), which eventually being discarded.

When these servers or other inside hosts need to access internet [using nat (inside) 1 0.0.0.0 0.0.0.0], they will refer to Router X. Since Router X will not know the destination address (which can be any addresses on the Internet) and have no matches/entry in the routing table, it will send it out to its the default route, which is PIX/ASA Inside interface. PIX/ASA, in turn, is also have no knowledge of the address + no info/entry in the routing table, will send/throw it to its the default route, which is the Internet router. This is how the internal hosts eventually get connected to Internet, and at the same time, able to talk to XYZ branch.

You might need to review the access-list "acl-in" for any unwanted entries for previous setup/traffic flow.

The other things is, based on different security level on all of your interfaces (0,50,100), you do not need the "same-security-traffic permit inter-interface" & "same-security-traffic permit intra-interface" statement. This is only applicable is you have interfaces with same security level and need to allow them to talk to each other.

*same-security-traffic permit inter-interface - to allow interface with same security level to talk to each other. Denied by default.

*same-security-traffic permit intra-interface - lets traffic enter and exit the same interface. Denied by default. Useful for VPN traffic that enters an interface, but is then routed out the same interface.

Refer to:

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f0fb.html#wp1289167

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f70.html#wp1039276

I have similar setup with PIX 535 (redundant) which has been running fine till now.

HTH

AK

Just for fernando_meza@data3.com.au ..

(In an open forum like this, I normally don't argue or questioned opinion/ideas/suggestions from others, and will rather asked question to the question owner.)

The answer to your question, and if you understand PIX/ASA routing correctly, PIX/ASA do not support redirect/re-route or bounce traffic directed to their interface to other device's interface/address. All traffic directed to PIX/ASA must go/pass through the device. This is why I specifically suggested that scorpio and alpha servers should use router as gateway, not the ASA5520, to the question:

"Traffic coming from XYZ Branch to the scorpio and alpha server when reach the server, they send back the packet to their gateway which is ASA 5520. traffic when coming to asa is dropped and not reaching back to XYZ LAN."

The following references are among many good examples to be read on how routing is handled when you have routers and clients exists on the same PIX segment.You can find them in this forum as well. FYI, router normally used as gateway by host instead of Firewall due to their routing capabilities. Router, in-turn, will have another route/defaulte route to PIX.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

"Q. I recently added an inside router to connect a second inside network to my Cisco Secure PIX Firewall...."

And since your argument was on the intra-interface feature, can you now explained it in details? I might be wrong here, as we merely share and provide solution based on our experience/knowledge which migh not be relevant all the time. Hope you can provide good answer.

Awaiting for your reply.

Cheers!

AK

I see .. what you mean now .. My question is not intended to create an argument at all .. it is just a question ..

In regards to the issue .. I agree the issue will be resolved by changing the Default gateway on those servers ( or alternatively adding static routes for the XYZ on the servers ). I agree the issue is not the intra-interface feature, however I think the fact that the ASA is dropping the returned packets from the servers is because there is no an initial request on its statefull table as the initial packet is not rteaching the ASA. i.e the ASA never sees the TCP SYN originated from XYZ towards the servers but the TCP SYN/ ACK instead and hence the ASA drops it.

Hi,

in case servers are configurable, why not making router as their gateway for reaching just the branch segment and keeping firewalls as default gateway?

Otherwise: ICMP-redirect by router obviously instructs servers to use firewalls directly, while accessing the internet.

I've faced this problem too, so any possible parameter to enable on the firewall to redirect the return traffic back to the router. If the default gw and topology can not be changed.

Thanks.

Tony

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: