Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static Route Issue

I have an ASA 5510 running 8.2(1) that I recently purchased and installed.

To give you an overview of our network layout, we have 3 remote offices.  Our main office is 10.0.0.0/24.  The ASA 5510 is 10.0.0.1.  Right now I have a VPN router that the ASA 5510 will eventually be taking the place of at 10.0.0.3.  It does a VPN tunnel to 10.0.5.0/24.  I have an MPLS router at 10.0.0.2 that connects to the other remote office (10.0.3.0/24).  I am also trying to get the ASA 5510 to do a vpn tunnel to 10.0.4.0/24 which has an ASA 5505 in place, but before I try and figure out why that is not working, I want to resolve this static route issue.

The ASA 5510 is working fine for us to get out on the internet from the 10.0.0.0/24 network, it is set as our default gateway on our client machines.  However, I cannot ping or in any way see anything on our remote networks from any client on the 10.0.0.0/24 network that uses the ASA 5510 as the default gateway.  I can however ping the remote equipment from the CLI interface on the ASA 5510, so I think I have my static routes just fine.  It makes me think it is an access list issue or some other command I am missing to keep the thing from blocking the traffic.

Thanks so much to anyone who is willing to point me in the right direction.  My brain is just about mush.

3 REPLIES
Super Bronze

Static Route Issue

Hi,

The following command(s) came to mind first as I didnt find them on the configuration attached. You traffic is entering and leaving the same interface so you'll need one of the below configurations.

From Cisco material

same-security-traffic

To permit communication between interfaces with equal security levels,  or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Syntax Description


inter-interface

Permits communication between different interfaces that have the same security level.

intra-interface

Permits communication in and out of the same interface.

Defaults

This command is disabled by default.

Usage Guidelines

Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:

You  can configure more than 101 communicating interfaces. If you use  different levels for each interface, you can configure only one  interface per level (0 to 100).

You can allow traffic to flow freely between all same security interfaces without access lists.

The same-security-traffic intra-interface command  lets traffic enter and exit the same interface, which is normally not  allowed. This feature might be useful for VPN traffic that enters an  interface, but is then routed out the same interface. The VPN traffic  might be unencrypted in this case, or it might be reencrypted for  another VPN connection. For example, if you have a hub and spoke VPN  network, where the adaptive security appliance is the hub, and remote  VPN networks are spokes, for one spoke to communicate with another  spoke, traffic must go into the adaptive security appliance and then out  again to the other spoke.


Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an  asymmetric routing situation that can cause return traffic not to  traverse the adaptive security appliance.


Examples

The following example shows how to enable the same-security interface communication:

hostname(config)# same-security-traffic permit inter-interface

The following example shows how to enable traffic to enter and exit the same interface:

hostname(config)# same-security-traffic permit intra-interface

Hope this helps

- Jouni

Community Member

Static Route Issue

That is a great suggesting, and I tried it, but it didn't solve the problem.  Still can't ping from a client, but can from inside the device.

Super Bronze

Static Route Issue

Hi,

The above quoted text mentions that the traffic is still subject to normal firewall rules.

Can you make sure that you have permitted ICMP from the interface that has the routes to the remote network.

Can you also check that you have the following inspect configured

policy-map global_policy

class inspection_default

  inspect icmp

The "inspect icmp" line basicly simplifies the ICMP handling with the firewall. You wont have to use access-list in both directions to get the ICMP working. Atleast thats how I understood it.

Doesnt seem you have that configured in the attached ASA configuration. Though I'm not sure if its needed in the way your traffic is going. But I'm sure it wont hurt adding the "inspect icmp" anyway.

PS.

Why does both your routes have the same gateway address? Wasn't the other network supposed to be reached from 10.0.0.2 and not 10.0.0.3?

- Jouni

233
Views
0
Helpful
3
Replies
CreatePlease to create content