Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Routing the traffic in the same interafce to a branch router

Dear all

From the attached image you will find I am trying to ping the IP 192.168.1.1 from the PC 192.168.0.10 but I cannot. From the firewall I can ping the whole network but from the users I cannot ping any IP from the subnet 192.168.1.0/24.

Please find the attached image and configuration.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Routing the traffic in the same interafce to a branch router

Use :

static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Please rate if helps.

Regards,

Sushil

5 REPLIES

Re: Routing the traffic in the same interafce to a branch router

Use the the 192.168.0.1 device as the primary layer 3 routing device instead of the firewall.

Change the default GW of the PC to 192.168.0.1

Add a static ip route in the 192.168.0.1 device:-

ip route 0.0.0.0 0.0.0.0 192.168.0.5

Itg will work better and will do what you want.

HTH>

Cisco Employee

Re: Routing the traffic in the same interafce to a branch router

Use :

static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Please rate if helps.

Regards,

Sushil

New Member

Re: Routing the traffic in the same interafce to a branch router

Dear Sushil

Thank you very much for your help, it works fine.

Could you please explain the 5 commands and why you used the static nat and why you use it with the local subnet 192.168.0.0 of the firewall?

what about this command (sysopt noproxyarp inside) ?

Thanks,

Cisco Employee

Re: Routing the traffic in the same interafce to a branch router

One-arm routing/U-Turning-

-------

| ASA |

-------192.168.1.1

|

|

--------192.168.1.0/24 n/w

----|Switch|----

| -------- |

| |

192.168.1.10 -------192.168.1.2(F0)

host |Router|

-------192.168.2.1(F1)

|

--------------------

|192.168.2.0/24 n/w|

--------------------

|

192.168.2.10

host

Refer to above topology-

ASA Inside interface: 192.168.1.1

ASA Inside interface n/w: 192.168.1.0/24

Internal router F0 interface: 192.168.1.2

Internal router F1 interface: 192.168.2.1

Network behind router: 192.168.2.0/24

Gateway IP of router: 192.168.1.1

Gateway of 192.168.1.0/24 n/w: 192.168.1.1

Gatewau of 192.168.2.0/24 n/w: 192.168.2.1

Requirement-

192.168.1.0/24 and 192.168.2.0/24 networks should be able to talk each other.

Hence, access to both networks should be available in both directions.

Command Set 1

=============

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

same-security-traffic permit intra-interface

Please note that only these 3 commands are *NOT* a solution and will disrupt

services on 192.168.1.0/24 network.

Command Set 2

=============

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Why would command set 1 cause issues? Using following static command:

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

We are telling firewall to proxyarp for any IP address in 192.168.1.0/24 network.

Now if host 192.168.1.10 needs to talk to 192.168.1.20, it would do and ARP for

192.168.1.20. In this case, this ARP request would reach both firewall inside

interface as well as the actual host 192.168.1.20. Both will respond with their

own MAC-Address. Now it depends which response gets to 192.168.1.10 first. If it

receives response from firewall first, communication will not work, if it receives

resposne from actual host first then only communication would work. Hence, you

would face intermittent issues in his internal network.

We had to use norandom nailed option along with failover time -1 command to enable

assymetric routing for these networks when sending traffic to same interface destination.

This is required as response for some requests would not be seen by firewall and

if stateful filtering is on, communication would be dropped by firewall.

Please rate if explaination is helpful. :)

Regards,

Sushil

Re: Routing the traffic in the same interafce to a branch router

u could also make two subinterfaces on the inside interface call then for example inside1 and inside2 and put each one with it security level and ip addresing and a static nat on the firewall point to each network through the corsponding subinterface

and make normal nating between interface

good luck

if helpful rate

177
Views
10
Helpful
5
Replies
CreatePlease to create content