Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 Routing issues

Hello,

Default route has been set i.e. route outside 0.0.0.0 0.0.0.0 ISP-Router-IP

Inside interface is 192.168.1.254

All internet access for local subnet i.e. inside interface works 100% however regional offices are unable to access the internet. This will be due to a seperate MPLS WAN router (192.168.1.253) which interconnects all our regional offices.

So I created static routes for each regional office on the ASA pointing back to the MPLS router.

Within the ASA I can ping regional offices with no issues but from a workstation (default gateway is ASA & not MPLS router) on same subnet as ASA I get request timed out.

I check the ASA log and get the following:

Deny inbound icmp src inside:192.168.1.1 dst inside:192.168.2.1 (type8, code 0)

Static route is as follows:

route inside 192.168.2.0 255.255.255.0 192.168.1.253 1

So basically the ASA is denying the inbound traffic that is will then go out the same interface to the MPLS router.

Any suggestions???

2 REPLIES

Re: ASA 5510 Routing issues

Hi Craig,

When it comes to routing, ASA/PIX is not as smart as a Router. The route statement is meant to facilitate traffic flowing/passing THROUGH the firewall. It does not has ability to do traffic 'redirection'.

This explain why your workstation getting 'Request timed out' (RTO) when you ping your reqional offices as your workstation uses ASA as default gateway. When ICMP traffic destine for regional offices hits ASA, ASA can't redirect/send it back to your MPLS router. Hence, it will not process it and generates the "Deny inbound icmp src inside:192.168.1.1 dst inside:192.168.2.1 (type8, code 0)" log.

Normally, in your case, you need to have another router/L3 device to do routing between to handle traffic meant for internet and internal network. This router, for example, will be used as default gateway for all internal workstations.

In the router, set default route (all 0) to the ASA, and have a specific route (or dynamic routing) to your regional offices pointing to the MPLS router.

Hope this helps!

Rgds,

AK

Re: ASA 5510 Routing issues

Also, please make sure all your reginal offices subnets are allowed to make/start internet connection in the ASA using the 'nat' command:

This normally looks like:

global (outside) 1 <1st_public_IP>- netmask --> a range of public IP, or

global (outside) 1 --> served as PAT

nat (inside) 1 0.0.0.0 0.0.0.0 --> allowed all internal subnet

nat (inside) 1

Rgds,

AK

258
Views
0
Helpful
2
Replies