Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505, Static routing issue.

Hello all,

I have an ASA 5505 that I just recently setup. It is functioning correctly in all regards except one:

I have a static route inside 192.168.2.0 255.255.255.0 192.168.1.3 1 that allows me to ping anything in the 192.168.2.0 network but am unable to pass any IP traffic.

The inside IP address of the ASA is 192.168.1.1 and the route gateway 192.168.1.3 is simply another router with a P2P connected to 192.168.2.0

When I add the route to a workstation routing table everything works fine. It appears the ASA is blocking something.

Any thoughts?

Thanks

Andrew

22 REPLIES

ASA 5505, Static routing issue.

What are you doing to try to pass traffic, or how are you testing this outside of pings? Can the 192.168.2.0/24 subnet get on the internet?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

ASA 5505, Static routing issue.

Hi John,

I'm sitting on the 192.168.1.0 side attempting to connect to services on the 192.168.2.0 side. ie: SMTP, HTTP, RDP.

the gateway of my test workstation is the AS router at 192.168.1.1, If I add a route to the local computer then I have no problems, I can Ping and access all IP services on th 192.168.2.0 side.

If I remove the route from the local computer and use the static route on the ASA then I can only ping nodes on the 192.168.2.0 side but cannot access on IP services mentioned above.

Thanks

Andrew

ASA 5505, Static routing issue.

So you mean if on your workstation you the following everything works:

route add 192.168.2.0 255.255.255.0 192.168.1.3

But if you add a static route on the firewall such as this one only ICMP works:

route add 192.168.2.0 255.255.255.0 192.168.1.3

Have you tried to look at the logs on the ASA and see what are you getting there when you try to reach 192.168.2.0/24 network.    

New Member

ASA 5505, Static routing issue.

Correct.

Logs arent showing any of the traffic to 192.168.2.0 newtork at all.

when it do:

packet-tracer input inside tcp 192.168.1.111 80 192.168.2.10 80

I get:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ASA 5505, Static routing issue.

Post a diagram please ....

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: ASA 5505, Static routing issue.

Thanks for looking at this, John. Diagram attached.

I should also add that in both cases the Default gateway of the Workstation is 192.168.1.1

ASA 5505, Static routing issue.

No problem Andrew....try adding "same-security-traffic intra-interface" and see if that helps....

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: ASA 5505, Static routing issue.

Unfortunately no difference.

I can tracert an ping either way, just cannot telnet 192.168.2.10 80, 3389, or 25 when using the static route of the ASA.

I tried a reload earlier as a sanity check.

Re: ASA 5505, Static routing issue.

Can you post your config of the asa? I'm assuming that the asa is configured as your default gateway for your host...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: ASA 5505, Static routing issue.

Here it is:

Thanks

_________________________________________________________________________________________________

ASA Version 8.3(1) 
!
hostname MBNY1ASA1
domain-name REDACTED
enable password REDACTED encrypted
passwd REDACTED encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 backup interface Vlan12
 nameif TimeWarner-outside
 security-level 0
 ip address REDACTED 255.255.255.248 
!
interface Vlan12
 nameif Verizon-outside
 security-level 0
 ip address REDACTED 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec This is a private system. All connections are logged. 
banner exec Unauthorized access is forbidden.
banner login This is a private system. All connections are logged. 
banner login Unauthorized access is forbidden.
banner asdm This is a private system. All connections are logged. 
banner asdm Unauthorized access is forbidden.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup TimeWarner-outside
dns domain-lookup Verizon-outside
dns server-group DefaultDNS
 name-server 192.168.1.15
 name-server 192.168.1.10
 name-server 4.2.2.2
 domain-name mb.modernbank.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network mbny1-workstations 
 range 192.168.1.20 192.168.1.254
object network PublicServer_NAT1 
 host 192.168.1.15
object network mbny3 
 subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24 
 subnet 192.168.1.0 255.255.255.0
object network mbny2 
 subnet 192.168.2.0 255.255.255.0
object service RDP 
 service tcp source eq 3389 destination eq 3389 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq finger
 port-object eq ftp
 port-object eq ftp-data
 port-object eq smtp
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object traceroute
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo
 icmp-object echo-reply
 icmp-object traceroute
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_access_in extended deny tcp object mbny1-workstations any object-group DM_INLINE_TCP_1 
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list inside_access_in extended permit ip any any 
access-list TimeWarner-outside_access extended permit tcp object-group Teracom host 192.168.1.15 eq pop3 
access-list TimeWarner-outside_access extended permit tcp any host 192.168.1.15 eq https 
access-list TimeWarner-outside_access extended permit tcp any host 192.168.1.15 eq smtp 
access-list TimeWarner-outside_access extended permit icmp any any object-group DM_INLINE_ICMP_2 
pager lines 24
logging enable
logging asdm informational
logging mail alerts
logging from-address mbny1asa1@modernbank.com
logging recipient-address ashadid@teracom.com level alerts
logging recipient-address kanderson@modernbank.com level emergencies
logging class auth mail alerts 
logging class session mail alerts 
logging class vpn mail alerts 
mtu inside 1500
mtu TimeWarner-outside 1500
mtu Verizon-outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,TimeWarner-outside) source dynamic any interface
nat (inside,TimeWarner-outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mbny3 mbny3
nat (inside,inside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mbny3 mbny3
!
object network obj_any
 nat (inside,TimeWarner-outside) dynamic interface
object network PublicServer_NAT1
 nat (inside,TimeWarner-outside) static A_108.176.55.100
access-group inside_access_in in interface inside
access-group TimeWarner-outside_access in interface TimeWarner-outside
route TimeWarner-outside 0.0.0.0 0.0.0.0 108.176.55.97 1 track 1
route Verizon-outside 0.0.0.0 0.0.0.0 65.209.19.2 128 track 2
route inside 192.168.2.0 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 10
 type echo protocol ipIcmpEcho 4.2.2.2 interface TimeWarner-outside
 num-packets 5
 timeout 1000
 threshold 500
 frequency 10
sla monitor schedule 10 life forever start-time now
sla monitor 20
 type echo protocol ipIcmpEcho 4.2.2.2 interface TimeWarner-outside
 num-packets 5
 timeout 1000
 threshold 500
 frequency 10
sla monitor schedule 20 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp identity address 
crypto isakmp enable inside
crypto isakmp enable TimeWarner-outside
crypto isakmp enable Verizon-outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 10 reachability
!
track 2 rtr 20 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config TimeWarner-outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
!
dhcprelay server 192.168.1.15 inside
dhcprelay enable TimeWarner-outside
dhcprelay enable Verizon-outside
dhcprelay timeout 60

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable TimeWarner-outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
username admin password EBia0rY9ypF9MtyY encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
smtp-server 192.168.1.15 192.168.2.15
prompt hostname context 
Cryptochecksum:90299a2be3a2147933deb3f2db794907
: end
no asdm history enable

Re: ASA 5505, Static routing issue.

Try adding this:

policy-map global_policy
 class inspection_default

   inspect http

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: ASA 5505, Static routing issue.

Thanks, John.

That didn't do it.

I feel like there should be a simple solution here but havent found it.

It's just a route to another internal network, right?

Andrew

Re: ASA 5505, Static routing issue.

Should be. Can you trace to the web server successfully? Lets do this. On the Asa create a capture file:

Access-list webcapture permit ip host 192.168.1.x host 192.168.2.x
Access-list webcapture permit ip host 192.168.2.x host 192.168.1.x

(Replace x with actual host number)

Capture webcapture access-list webcapture interface inside

Try to connect to the web server. After it fails, do "show capture webcapture" and paste those results here.

Thanks!
John

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***
New Member

Re:ASA 5505, Static routing issue.

Thanks. I tried this solution. Unfortunately, stateful bypass doesn’t do it.

It's very frustrating since Ping and tracert work fine, just not TCP/IP.

Below are the log items from John's suggestion above:

   1: 11:32:17.559617 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

cale 4,nop,nop,timestamp 434003838 0,sackOK,eol>

   2: 11:32:17.559922 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 3273783411:3273783411(0) win 65535

cale 4,nop,nop,timestamp 434003838 0,sackOK,eol>

   3: 11:32:17.566285 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 3273783412:3273783412(0) win 0

   4: 11:32:17.566315 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 4273985292:4273985292(0) win 0

   5: 11:32:18.661785 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

cale 4,nop,nop,timestamp 434004929 0,sackOK,eol>

   6: 11:32:18.662090 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 3543657649:3543657649(0) win 65535

cale 4,nop,nop,timestamp 434004929 0,sackOK,eol>

   7: 11:32:19.760916 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 3273783412:3273783412(0) win 0

   8: 11:32:19.760977 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 248892234:248892234(0) win 0

   9: 11:32:19.763571 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

cale 4,nop,nop,timestamp 434006026 0,sackOK,eol>

  10: 11:32:19.763845 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2892129823:2892129823(0) win 65535

cale 4,nop,nop,timestamp 434006026 0,sackOK,eol>

  11: 11:32:20.866669 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

cale 4,nop,nop,timestamp 434007125 0,sackOK,eol>

  12: 11:32:20.866700 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2892129823:2892129823(0) win 65535

cale 4,nop,nop,timestamp 434007125 0,sackOK,eol>

  13: 11:32:21.972270 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

cale 4,nop,nop,timestamp 434008212 0,sackOK,eol>

  14: 11:32:21.972316 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2892129823:2892129823(0) win 65535

cale 4,nop,nop,timestamp 434008212 0,sackOK,eol>

  15: 11:32:23.075984 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

cale 4,nop,nop,timestamp 434009309 0,sackOK,eol>

  16: 11:32:23.076045 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2892129823:2892129823(0) win 65535

cale 4,nop,nop,timestamp 434009309 0,sackOK,eol>

  17: 11:32:25.181860 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

cale 4,nop,nop,timestamp 434011404 0,sackOK,eol>

  18: 11:32:25.181905 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2892129823:2892129823(0) win 65535

cale 4,nop,nop,timestamp 434011404 0,sackOK,eol>

  19: 11:32:26.321699 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 3273783412:3273783412(0) win 0

  20: 11:32:26.321760 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 3892331704:3892331704(0) win 0

  21: 11:32:29.213718 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

,eol>

  22: 11:32:29.214008 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 3913856865:3913856865(0) win 65535

,eol>

<--- More --->

  23: 11:32:36.608870 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

0,sackOK,eol>

  24: 11:32:36.609175 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 1515884620:1515884620(0) win 65535

2802 0,sackOK,eol>

  25: 11:32:36.614088 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 1515884621:1515884621(0) win 0

  26: 11:32:36.614165 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 2984120157:2984120157(0) win 0

  27: 11:32:37.327238 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

  28: 11:32:37.327284 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 3913856865:3913856865(0) win 65535

  29: 11:32:37.628248 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

0,sackOK,eol>

  30: 11:32:37.628553 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 636735339:636735339(0) win 65535

17 0,sackOK,eol>

  31: 11:32:38.733482 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

0,sackOK,eol>

  32: 11:32:38.733528 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 636735339:636735339(0) win 65535

13 0,sackOK,eol>

  33: 11:32:39.005767 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 1515884621:1515884621(0) win 0

  34: 11:32:39.005874 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 2104970876:2104970876(0) win 0

  35: 11:32:39.834871 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

0,sackOK,eol>

  36: 11:32:39.835161 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 1576084093:1576084093(0) win 65535

5998 0,sackOK,eol>

  37: 11:32:40.938428 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

0,sackOK,eol>

  38: 11:32:40.938473 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 1576084093:1576084093(0) win 65535

7084 0,sackOK,eol>

  39: 11:32:42.044019 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

0,sackOK,eol>

  40: 11:32:42.044065 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 1576084093:1576084093(0) win 65535

8172 0,sackOK,eol>

  41: 11:32:44.151176 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

0,sackOK,eol>

  42: 11:32:44.151222 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 1576084093:1576084093(0) win 65535

0263 0,sackOK,eol>

  43: 11:32:45.566651 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 1515884621:1515884621(0) win 0

  44: 11:32:45.566727 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 3044319630:3044319630(0) win 0

  45: 11:32:48.262513 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

  46: 11:32:48.262803 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 117847353:117847353(0) win 65535

  47: 11:32:53.587356 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 2273581531:2273581531(0) win 65535

  48: 11:32:53.587387 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: S 3913856865:3913856865(0) win 65535

  49: 11:32:53.592300 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 3913856866:3913856866(0) win 0

  50: 11:32:53.592330 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 1259164904:1259164904(0) win 0

  51: 11:32:55.845338 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 3913856866:3913856866(0) win 0

  52: 11:32:56.290664 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

  53: 11:32:56.290695 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 117847353:117847353(0) win 65535

  54: 11:33:02.406320 802.1Q vlan#1 P0 192.168.1.14.57464 > 192.168.2.10.3389: R 3913856866:3913856866(0) win 0

  55: 11:33:12.416482 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 47649084:47649084(0) win 65535

  56: 11:33:12.416528 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: S 117847353:117847353(0) win 65535

  57: 11:33:12.421502 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 117847354:117847354(0) win 0

  58: 11:33:12.421578 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 188045623:188045623(0) win 0

  59: 11:33:15.097254 802.1Q vlan#1 P0 192.168.1.14.57467 > 192.168.2.10.80: R 117847354:117847354(0) win 0

59 packets shown

MBNY1ASA1(config)#

Re:ASA 5505, Static routing issue.

I'll try to lab this up at lunch and see what I can come up with....

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Re:ASA 5505, Static routing issue.

I believe you are facing an asymmetric routing issue, which the ASA doesn't support by default. The return traffic from the 192.168.2 network will not hit the firewall, so it thinks the connection is incomplete and blocks further packets from that session. This is due to stateful packet inspection. Here is an example for performing the stateful bypass:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

Sent from Cisco Technical Support Android App

Re:ASA 5505, Static routing issue.

Hi Andrew,

I guess the ASA NAT rules preceding over your routing. Can you to a packet tracer from ASA?

Ex: packet-tracer input inside tcp 192.168.1.10 80 192.168.2.20 80

Thx

MS

New Member

Re:ASA 5505, Static routing issue.

MBNY1ASA1# packet-tracer input inside tcp 192.168.1.10 80 192.168.2.10 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.2.0     255.255.255.0   inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect http

service-policy global_policy global

Additional Information:

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 286357, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ASA 5505, Static routing issue.

Looks like Nat (related ipsec) configs kicking in for the traffic.

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Can you temporarily disable NAT (and Static nat) and try to access (leaving the static route). if this is production environment, make sure you have main window.

Thx

MS

Re: ASA 5505, Static routing issue.

Andrew,

Mike is 100% correct in the asymmetrical routing comment. I had the same problem as you, and this is how I fixed it.

I did all of this in GNS, so I'm hoping this will resolve your issue:

access-list bypass extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

class-map bypass

match access-list bypass

class-map default

match default-inspection-traffic

policy-map ServicePolicy

class default

  inspect http

class bypass

  set connection advanced-options tcp-state-bypass

service-policy ServicePolicy global

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Re: ASA 5505, Static routing issue.

IIRC you also need to explicitly disable NAT when doing state bypass.

Try adding John's config and the following NAT line:

nat (inside,inside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mbny2 mbny2

You may have to apply this to the inside interface instead of global:

class-map bypass

  match access-list bypass

policy-map inside_policy

  class bypass

   set connection advanced-options tcp-state-bypass

service-policy inside_policy interface inside

Additionally, a simpler solution would be to setup the router at 1.3 as the default gateway, then you won't have to worry about asymmetric routing for your internal network. All traffic through the ASA at that point would return through the ASA.

Regards,

Mike


Re: ASA 5505, Static routing issue.

Something is confusing
What IP are you using for P2P Router A(IP WAN) and other RouterB(IP WAN)> 2600 series Router
Jawad
352
Views
5
Helpful
22
Replies
CreatePlease login to create content