07-07-2013 12:54 PM - edited 03-11-2019 07:08 PM
I have a network that is connected via a VLAN configuration 10.x.x.x/24 that has a gateway of 10.x.x.x/16. I put a route on the firewall and I can ping the /24 network with no problem but I believe I need an ACL on the firewall to allow traffic from 10.x.x.x/24 to come back to the internal 10.x.x.x/16 network via the firewall? The gateway and the firewall share the same network subnet. Could some verify as I am slated to go to ASA school but am learning the details in the meantime.
My Firewall is running 8.4(5).
Any help would be greatly appreciated.
Thank you Carlos
07-07-2013 01:00 PM
Hi,
I am afraid I dont quite understand your setup.
And since we are talking about private range IP addresses/subnets there is really no reason not to tell them here. Especially when we talk about routing. Depending on the network addresses you might have overlapping networks even.
Then again I am not sure how the 2 networks are connected to the ASA? Are they behind different interfaces of the ASA?
Could you perhaps share some configurations?
- Jouni
07-07-2013 01:19 PM
Hello Jouni,
Sorry I wrote this request without details. Here is my configuration. My Firewall ASA has an address of 10.1.1.1/16. My internal LAN is 10.1.0.0/16. I have a gateway on the same net of 10.1.1.250/16 that is connected to the same switch as my Firewall. This gateway 10.1.1.250/16 is connected to a switch with VLAN configuration that hosts a 10.6.1.0/24 network with gateway 10.6.1.1/24. I have placed a route on the firewall that routes 10.6.1.0/24 via 10.1.1.250/16. I can ping and receive a reply to my Mitel VOIP system at 10.6.1.250/24 but I cannot pull up it's website on my PC that also sits on the 10.1.0.0/16. I had it working with my SonicWall that we have finally retired.
That being said do I need an ACL to allow traffic back from the 10.6.1.0/24 to properly talk to the 10.1.0.0/16 on the firewall. Or do I need a route.
As always appreciate your help.
Carlos
07-07-2013 01:45 PM
Assuming the ASA is the default gateway for your PC, you need to add the line in your ASA:
same-security-traffic intra-interface
07-14-2013 04:15 PM
I have this configuration in. The issue is I have a Asymmetric routing problem. I've been looking at articles. I have placed these configurations in and I am still not able to connect PC 2 to server. What am I missing?
# route 10.6.1.0 255.255.255.0 /24
access-list tcp_bypass_VoIP_Net extended permit ip 10.1.0.0 255.255.0.0 10.6.1.0 255.255.255.0
class-map class_tcp_bypass_VoiP_Net
match access-list tcp_bypass_VoiP_Net
policy-map tcp_bypass_policy
class class_tcp_bypass_VoiP_Net
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface inside
07-14-2013 04:41 PM
I don't believe your service-policy is necessary.
Have you applied the same-security line I suggested above?
The other option would be a host route in the server for the 10.6.1.0/24 network. Tell it to use the ProCurve interface of 10.1.1.250.
07-14-2013 04:53 PM
Hello Marvin,
Yes the same-security line has been in place for a while. I have the route in place for the 10.1.0.0/16 network to use the 10.6.1.250 gateway on the ASA. It works fine. The issue is when I try to access anything on th 10.1.0.0/16 network from PC 2 I cannot get anywhere. I've had Cisco technical support for help but we are all hitting a wall on this. There is something with the ASA and how it handles the SYN with Asymmetrical routing that I am having challenges. Any suggestions would be appreciated.
Thank you
Carlos
07-14-2013 04:58 PM
Hmm yes I could see that might well be a problem.
Since the ProCurve sees the 10.1.0.0/16 as connected it will normally just arp for hosts when it has a packet to forward onwards to a destination in that network. You could put a static route in the ProCurve for your servers's host addresses to go via the ASA inside interface making any /32 static be preferred over the /16 connected. That would make your routing symmetric.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide