Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing on Cisco ASA 5520

I have a network that is connected via a VLAN configuration 10.x.x.x/24 that has a gateway of 10.x.x.x/16. I put a route on the firewall and I can ping the /24 network with no problem but I believe I need an ACL on the firewall to allow traffic from 10.x.x.x/24 to come back to the internal 10.x.x.x/16 network via the firewall? The gateway and the firewall share the same network subnet. Could some verify as I am slated to go to ASA school but am learning the details in the meantime.

My Firewall is running 8.4(5).

Any help would be greatly appreciated.

Thank you Carlos

  • Firewalling
7 REPLIES
Super Bronze

Routing on Cisco ASA 5520

Hi,

I am afraid I dont quite understand your setup.

And since we are talking about private range IP addresses/subnets there is really no reason not to tell them here. Especially when we talk about routing. Depending on the network addresses you might have overlapping networks even.

Then again I am not sure how the 2 networks are connected to the ASA? Are they behind different interfaces of the ASA?

Could you perhaps share some configurations?

- Jouni

New Member

Routing on Cisco ASA 5520

Hello Jouni,

     Sorry I wrote this request without details. Here is my configuration. My Firewall ASA has an address of 10.1.1.1/16. My internal LAN is 10.1.0.0/16. I have a gateway on the same net of 10.1.1.250/16 that is connected to the same switch as my Firewall. This gateway 10.1.1.250/16 is connected to a switch with VLAN configuration that hosts a 10.6.1.0/24 network with gateway 10.6.1.1/24. I have placed a route on the firewall that routes 10.6.1.0/24 via 10.1.1.250/16. I can ping and receive a reply to my Mitel VOIP system at 10.6.1.250/24 but I cannot pull up it's website on my PC that also sits on the 10.1.0.0/16. I had it working with my SonicWall that we have finally retired.

     That being said do I need an ACL to allow traffic back from the 10.6.1.0/24 to properly talk to the 10.1.0.0/16 on the firewall. Or do I need a route.

     As always appreciate your help.

     Carlos

Hall of Fame Super Silver

Routing on Cisco ASA 5520

Assuming the ASA is the default gateway for your PC, you need to add the line in your ASA:

same-security-traffic intra-interface

Reference.

New Member

Routing on Cisco ASA 5520

I have this configuration in. The issue is I have a Asymmetric routing problem. I've been looking at articles. I have placed these configurations in and I am still not able to connect PC 2 to server. What am I missing?

# route 10.6.1.0 255.255.255.0 /24

access-list tcp_bypass_VoIP_Net extended permit ip 10.1.0.0 255.255.0.0 10.6.1.0 255.255.255.0

class-map class_tcp_bypass_VoiP_Net

    match access-list tcp_bypass_VoiP_Net

policy-map tcp_bypass_policy

    class class_tcp_bypass_VoiP_Net

       set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside

Hall of Fame Super Silver

Routing on Cisco ASA 5520

I don't believe your service-policy is necessary.

Have you applied the same-security line I suggested above?

The other option would be a host route in the server for the 10.6.1.0/24 network. Tell it to use the ProCurve interface of 10.1.1.250.

New Member

Routing on Cisco ASA 5520

Hello Marvin,

     Yes the same-security line has been in place for a while. I have the route in place for the 10.1.0.0/16 network to use the 10.6.1.250 gateway on the ASA. It works fine. The issue is when I try to access anything on th 10.1.0.0/16 network from PC 2 I cannot get anywhere. I've had Cisco technical support for help but we are all hitting a wall on this. There is something with the ASA and how it handles the SYN with Asymmetrical routing that I am having challenges. Any suggestions would be appreciated.

Thank you

Carlos

Hall of Fame Super Silver

Re: Routing on Cisco ASA 5520

Hmm yes I could see that might well be a problem.

Since the ProCurve sees the 10.1.0.0/16 as connected it will normally just arp for hosts when it has a packet to forward onwards to a destination in that network. You could put a static route in the ProCurve for your servers's host addresses to go via the ASA inside interface making any /32 static be preferred over the /16 connected. That would make your routing symmetric.

204
Views
0
Helpful
7
Replies