Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static route on inside interface of ASA does'nt work

I have three Subnets connected through a router in my LAN (Inside interface)

route Outside 0.0.0.0 0.0.0.0 1x.1az.az.161 1

route Inside 192.168.2.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.16.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.55.0 255.255.255.0 192.168.0.254 1

I can reach to the IP's 192.168.2.0/24 and the other two subnets from the ASA

But not through the PC on my LAN tried with ACL etc.

Am I missing something here ?

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Static route on inside interface of ASA does'nt work

Hi, you have 2 ways to resolve this.ASA/PIX not supporting "redirect traffic" also called "hairpining" for unencrypted traffic before v7.2, it's a security feature. After v7.2, you can do this by nat + "same-security-traffic permit intra-interface".

1. the "correct" way,It should let your router/layer3 switch handle internal routing unless you need control traffic among those subnets, and firewall just do access control/vpn.

a.You can setup all internal PCs default gateway point to 192.168.0.254

b. setup router's default route pointing to inside interface of firewall, router will do routing/redirect job

c. remove those 3 static route

2. the "feasible" way

a. make sure you have v7.2 or later

b. same-security-traffic permit intra-interface

c. configure proper nat, in your case, try this code:

access-list inside_outbound_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.16.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0

if you have exiting nat exemption statement, just merge them. In this way, you can even put ACL between 192.168.0.0 and the other 3 subnets.These code not been verified,test it after hours.

Pleas rate if it helps.

14 REPLIES
Gold

Re: Static route on inside interface of ASA does'nt work

is the following command entered:

same-security-traffic permit intra-interface

Community Member

Re: Static route on inside interface of ASA does'nt work

Added but no luck? Any other commands ?

Community Member

Re: Static route on inside interface of ASA does'nt work

mifw# sh run | in route

route Outside 0.0.0.0 0.0.0.0 1a.1xx.3b.1x1 1

route Inside 192.168.2.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.16.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.55.0 255.255.255.0 192.168.0.254 1

route Inside 208.134.161.0 255.255.255.0 192.168.0.67 1

mifw# sh run | in same

same-security-traffic permit intra-interface

mifw# ping inside 192.168.16.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/50 ms

mifw# ping inside 192.168.55.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 30/34/40 ms

mifw#

Same ping fails from the PC on this LAN

Community Member

Re: Static route on inside interface of ASA does'nt work

I would be very interested in this as well, I have the same problem.

Gold

Re: Static route on inside interface of ASA does'nt work

can you connect to other network services from a PC to those subnets. ie, have you tested anything besides ping/icmp?

Community Member

Re: Static route on inside interface of ASA does'nt work

Yes we had a Watchguard firewall and it used to work fine with that both ping and our application, now with ASA it does'nt work. However if I add a static route on the PC like

route add 192.168.55.0 MASK 255.255.255.0 192.168.0.254

route add 192.168.2.0 MASK 255.255.255.0 192.168.0.254

route add 192.168.16.0 MASK 255.255.255.0 192.168.0.254

It works for that PC but again this is not the correct way.

Gold

Re: Static route on inside interface of ASA does'nt work

unless you're doing some weird NAT things on the firewall, causing ARP issues, I'm not sure what it could be.

you could further subnet your lan that is directly behind the firewall. then add a subinterface to one of the routers, so that would be your LAN's default gateway. On another subinterface, put that on the same LAN as the firewall inside interface, on the that router, put a default route statement in pointing to the firewall.

Normally you would do all that with a layer 3 switch, but it doesn't sound like you have one of those.

Community Member

Re: Static route on inside interface of ASA does'nt work

Strange is it true PIX/ASA cannot redirect packet comming and leaving same interface ? Thats what I came to know from a colleage, Other firewalls do that, is there a way to make it happen using NAT policy/NAT rule etc.

I don't think it is feasible for us to make a sub interface on the PIX that will cause us to move the internal router to a different subnet. Any other suggestions ?

Gold

Re: Static route on inside interface of ASA does'nt work

same-security-traffic permit intra-interface

that command allows traffic to enter and leave the same interface.

Community Member

Re: Static route on inside interface of ASA does'nt work

Hi, you have 2 ways to resolve this.ASA/PIX not supporting "redirect traffic" also called "hairpining" for unencrypted traffic before v7.2, it's a security feature. After v7.2, you can do this by nat + "same-security-traffic permit intra-interface".

1. the "correct" way,It should let your router/layer3 switch handle internal routing unless you need control traffic among those subnets, and firewall just do access control/vpn.

a.You can setup all internal PCs default gateway point to 192.168.0.254

b. setup router's default route pointing to inside interface of firewall, router will do routing/redirect job

c. remove those 3 static route

2. the "feasible" way

a. make sure you have v7.2 or later

b. same-security-traffic permit intra-interface

c. configure proper nat, in your case, try this code:

access-list inside_outbound_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.16.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.55.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0

if you have exiting nat exemption statement, just merge them. In this way, you can even put ACL between 192.168.0.0 and the other 3 subnets.These code not been verified,test it after hours.

Pleas rate if it helps.

Community Member

Re: Static route on inside interface of ASA does'nt work

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list inside_outbound_nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.55.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0

Just adding the above nat rules helped thanks a lot, I'll be testing with the user application, thanks for your help

Community Member

Re: Static route on inside interface of ASA does'nt work

Only icmp works I get following in the syslog for RDP and other applications

Jan 29 2008 11:46:13: %ASA-6-302013: Built inbound TCP connection 2692400 for Inside:192.168.0.77/4442 (192.168.0.77/4442) to Inside:192.168.16.74/3389 (192.168.16.74/3389)

Jan 29 2008 11:46:13: %ASA-6-302014: Teardown TCP connection 2692414 for Inside:192.168.0.75/2923 to Inside:192.168.16.65/135 duration 0:00:00 bytes 0 TCP Reset-O

Jan 29 2008 11:46:25: %ASA-6-302013: Built inbound TCP connection 2692487 for Inside:192.168.0.77/4443 (192.168.0.77/4443) to Inside:192.168.16.74/3389 (192.168.16.74/3389)

Jan 29 2008 11:46:25: %ASA-6-302014: Teardown TCP connection 2692487 for Inside:192.168.0.77/4443 to Inside:192.168.16.74/3389 duration 0:00:00 bytes 0 TCP Reset-O

Community Member

Re: Static route on inside interface of ASA does'nt work

Hi pengfang if you can help me with VPN can you address this "I was able to integrate NT Domain authentication for the VPN clients, however I need to know if I can restrict this Authentication to a particular User group in the NT. All other users should not be allowed to VPN in" This posting is in the VPN section. Thanks in advance.

Community Member
289
Views
5
Helpful
14
Replies
CreatePlease to create content