I have a network that is connected via a VLAN configuration 10.x.x.x/24 that has a gateway of 10.x.x.x/16. I put a route on the firewall and I can ping the /24 network with no problem but I believe I need an ACL on the firewall to allow traffic from 10.x.x.x/24 to come back to the internal 10.x.x.x/16 network via the firewall? The gateway and the firewall share the same network subnet. Could some verify as I am slated to go to ASA school but am learning the details in the meantime.
And since we are talking about private range IP addresses/subnets there is really no reason not to tell them here. Especially when we talk about routing. Depending on the network addresses you might have overlapping networks even.
Then again I am not sure how the 2 networks are connected to the ASA? Are they behind different interfaces of the ASA?
Sorry I wrote this request without details. Here is my configuration. My Firewall ASA has an address of 10.1.1.1/16. My internal LAN is 10.1.0.0/16. I have a gateway on the same net of 10.1.1.250/16 that is connected to the same switch as my Firewall. This gateway 10.1.1.250/16 is connected to a switch with VLAN configuration that hosts a 10.6.1.0/24 network with gateway 10.6.1.1/24. I have placed a route on the firewall that routes 10.6.1.0/24 via 10.1.1.250/16. I can ping and receive a reply to my Mitel VOIP system at 10.6.1.250/24 but I cannot pull up it's website on my PC that also sits on the 10.1.0.0/16. I had it working with my SonicWall that we have finally retired.
That being said do I need an ACL to allow traffic back from the 10.6.1.0/24 to properly talk to the 10.1.0.0/16 on the firewall. Or do I need a route.
I have this configuration in. The issue is I have a Asymmetric routing problem. I've been looking at articles. I have placed these configurations in and I am still not able to connect PC 2 to server. What am I missing?
# route 10.6.1.0 255.255.255.0 /24
access-list tcp_bypass_VoIP_Net extended permit ip 10.1.0.0 255.255.0.0 10.6.1.0 255.255.255.0
Yes the same-security line has been in place for a while. I have the route in place for the 10.1.0.0/16 network to use the 10.6.1.250 gateway on the ASA. It works fine. The issue is when I try to access anything on th 10.1.0.0/16 network from PC 2 I cannot get anywhere. I've had Cisco technical support for help but we are all hitting a wall on this. There is something with the ASA and how it handles the SYN with Asymmetrical routing that I am having challenges. Any suggestions would be appreciated.
Since the ProCurve sees the 10.1.0.0/16 as connected it will normally just arp for hosts when it has a packet to forward onwards to a destination in that network. You could put a static route in the ProCurve for your servers's host addresses to go via the ASA inside interface making any /32 static be preferred over the /16 connected. That would make your routing symmetric.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...