05-25-2006 12:10 PM - edited 02-21-2020 12:55 AM
Hello,
Default route has been set i.e. route outside 0.0.0.0 0.0.0.0 ISP-Router-IP
Inside interface is 192.168.1.254
All internet access for local subnet i.e. inside interface works 100% however regional offices are unable to access the internet. This will be due to a seperate MPLS WAN router (192.168.1.253) which interconnects all our regional offices.
So I created static routes for each regional office on the ASA pointing back to the MPLS router.
Within the ASA I can ping regional offices with no issues but from a workstation (default gateway is ASA & not MPLS router) on same subnet as ASA I get request timed out.
I check the ASA log and get the following:
Deny inbound icmp src inside:192.168.1.1 dst inside:192.168.2.1 (type8, code 0)
Static route is as follows:
route inside 192.168.2.0 255.255.255.0 192.168.1.253 1
So basically the ASA is denying the inbound traffic that is will then go out the same interface to the MPLS router.
Any suggestions???
05-25-2006 12:28 PM
Hi Craig,
When it comes to routing, ASA/PIX is not as smart as a Router. The route statement is meant to facilitate traffic flowing/passing THROUGH the firewall. It does not has ability to do traffic 'redirection'.
This explain why your workstation getting 'Request timed out' (RTO) when you ping your reqional offices as your workstation uses ASA as default gateway. When ICMP traffic destine for regional offices hits ASA, ASA can't redirect/send it back to your MPLS router. Hence, it will not process it and generates the "Deny inbound icmp src inside:192.168.1.1 dst inside:192.168.2.1 (type8, code 0)" log.
Normally, in your case, you need to have another router/L3 device to do routing between to handle traffic meant for internet and internal network. This router, for example, will be used as default gateway for all internal workstations.
In the router, set default route (all 0) to the ASA, and have a specific route (or dynamic routing) to your regional offices pointing to the MPLS router.
Hope this helps!
Rgds,
AK
05-25-2006 12:34 PM
Also, please make sure all your reginal offices subnets are allowed to make/start internet connection in the ASA using the 'nat' command:
This normally looks like:
global (outside) 1 <1st_public_IP>-
global (outside) 1
nat (inside) 1 0.0.0.0 0.0.0.0 --> allowed all internal subnet
nat (inside) 1
Rgds,
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide