It is a Debian machine with routing functinality activated and 2 interfaces, so it simply route

If I execute the command "tracert 192.168.2.1" from my laptop (IP : 10.0.0.10), I get a time out

If I try to ping it, I get also a time out.

I don't understand why the command "route inside 192.168.2.0 255.255.255.0 10.0.042 1" is not working, it's quite simple.

My laptop will talk to the ASA, packets will be forwarded to the router (10.0.0.42) and its second interface will get them (192.168.1.1).

I need help please.

Hi,

you're talking about 192.168.2.0  subnet but then talk about 192.168.1.1, is this a typo ?

Also for your laptop in 10.0.0.0 subnet I suppose the default-gateway is the ASA which then sends out to the Linux router ?

So you enter the inside interface and go back the same interface to get to the linux box ?

Can you do this :

same-security-traffic  permit intra-interface  in global config

Regards

Alain

Don't forget to rate helpful posts.

Hi Alain,

My mistake, the IP address of the Linux router is 192.168.2.1/24.

You are right, my laptop gets all the DHCP information from ASA so my default gateway is the ASA.

Yes I enter the inside interface and go bakc to it.

I tried to execute the command "same-security-traffic permit intra-interface" but unfortunately, it didn't change anything.

When I try to reach a web service with the IP address 192.168.2.2, Firefox tells methat the "connection has been reset".

When I do a ping to 192.168.2.1, I can see ping requests in Wireshark but no reply, and no error message.

if your network is like below

then you are having asymmetric routing and connection won't work when there is a firewall in the path. to verify it you could add a static route in your laptop with this command: route 192.168.2.0 mask 255.255.255.0 10.0.0.42 if asymmetric routing is the case then this command would bring your laptop's connection back to normal.

but as you said you can't get any reply while capturing in wireshark, then i think the problem is due to debian machine's ip forwarding. run below command and see if you can get 1 for result:

cat /proc/sys/net/ipv4/ip_forward

also try this from debian:

ping -I 10.0.0.42 192.168.2.2

ping 192.168.2.2

Message was edited by: Thomas Fan

Thanks Thomas,

Yes my network is like your schema.

I've added the route on y machine and it is working. But I can't add static routes to every device on my network, I have to make it work through the ASA.

The ip_forward file contains 1 and all the ping commands are working.

Do you know what I could do please ? I don't understand why the firewall (the ASA ?) is making problem and why it is an asymmetric routing.

I would suggest to enable a unused port in firewall, assign it with ip address 192.168.2.1 and plug debian machine's LAN cable into this port. this would make your firewall also acting as a router+firewall between 10.0.0.0 network and 192.168.2.0 network. If you have problem with this solution please let me know.

Thanks, I'll try your solution.

But I understand why packets would lose themselves, the default gw of the debian is the ASA, my laptop's default gw is the ASA, they can't go through an other router to come back. It's the only way.

Unfortunately I don't have the license which allow me to have a third vlan.

Is there any solution to solve the asymmetric routing problem please ?

I've connected the Debian machine directly to the ASA on Ethernet 0/3 which is inside, so into vlan 1.

It has got a new IP from the ASA 10.0.0.12 so I added the route :

route inside 192.168.2.0 255.255.255.0 10.0.0.12

But I still have the same problem : when I try to reach 192.168.2.1, I get a time out

Can somebody help me please ?

Here are some news :

1) I've connected the Debian machine directly to port 0/2 of ASA5505

2) I've change IP address of Debian machine from 10.0.0.12 to 192.168.2.253. Now I've got one interface with this IP (ASA's side) and an other interface with the IP 192.168.2.1 (my subnetwork's side).

I can ping 192.168.2.1, 192.168.2.2, 192.168.2.253 from the Debian machine but not 192.168.1.254 (ASA's IP)

3) Here is my conf :

names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan3
 no nameif
 security-level 100
 ip address 192.168.2.254 255.255.255.0
!
ftp mode passive
clock timezone GMT 1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.1.1-10.0.1.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.40 inside
dhcpd dns 81.253.149.9 80.10.246.1 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
 vpn-idle-timeout 30
username admin password 4RdDnLO1w29lihWc encrypted
tunnel-group synvpn type remote-access
tunnel-group synvpn general-attributes
 address-pool VPNpool
tunnel-group synvpn ipsec-attributes
 pre-shared-key *******
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:de6c2ff205906041c8ce435c5bcfd070
: end

Did I miss something to get it work ?

Hi John,

if you don't have license to create a third vlan or enable a third port then a way to workaround this i know is to change the default gateway for 10.0.0.0/24 network from ASA to your Debian machine (all other configurations/settings/cablings be like your oringinal post). also, don't forget to setup a default gateway to ASA in your Debian machine if you try this.

BTW, are you able to ping 10.0.0.1 from 10.0.0.0/24 network? or are you able to ping 192.168.2.254 from 10.0.0.0/24 network?

To allow for the Asymetric routing, create a service policy rule to skip TCP state checking

https://rumyittips.com/skip-tcp-state-tracking-sequence-checking-traffic-flows-across-asa-gaia/