Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
2
Replies

ASA 5510 Routing issues

craig-allen
Level 1
Level 1

‎05-25-2006 12:10 PM - edited ‎02-21-2020 12:55 AM

Hello,

Default route has been set i.e. route outside 0.0.0.0 0.0.0.0 ISP-Router-IP

Inside interface is 192.168.1.254

All internet access for local subnet i.e. inside interface works 100% however regional offices are unable to access the internet. This will be due to a seperate MPLS WAN router (192.168.1.253) which interconnects all our regional offices.

So I created static routes for each regional office on the ASA pointing back to the MPLS router.

Within the ASA I can ping regional offices with no issues but from a workstation (default gateway is ASA & not MPLS router) on same subnet as ASA I get request timed out.

I check the ASA log and get the following:

Deny inbound icmp src inside:192.168.1.1 dst inside:192.168.2.1 (type8, code 0)

Static route is as follows:

route inside 192.168.2.0 255.255.255.0 192.168.1.253 1

So basically the ASA is denying the inbound traffic that is will then go out the same interface to the MPLS router.

Any suggestions???

0 Helpful
2 Replies 2

a.kiprawih
Level 7
Level 7

‎05-25-2006 12:28 PM

Hi Craig,

When it comes to routing, ASA/PIX is not as smart as a Router. The route statement is meant to facilitate traffic flowing/passing THROUGH the firewall. It does not has ability to do traffic 'redirection'.

This explain why your workstation getting 'Request timed out' (RTO) when you ping your reqional offices as your workstation uses ASA as default gateway. When ICMP traffic destine for regional offices hits ASA, ASA can't redirect/send it back to your MPLS router. Hence, it will not process it and generates the "Deny inbound icmp src inside:192.168.1.1 dst inside:192.168.2.1 (type8, code 0)" log.

Normally, in your case, you need to have another router/L3 device to do routing between to handle traffic meant for internet and internal network. This router, for example, will be used as default gateway for all internal workstations.

In the router, set default route (all 0) to the ASA, and have a specific route (or dynamic routing) to your regional offices pointing to the MPLS router.

Hope this helps!

Rgds,

AK

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-25-2006 12:34 PM

Also, please make sure all your reginal offices subnets are allowed to make/start internet connection in the ASA using the 'nat' command:

This normally looks like:

global (outside) 1 <1st_public_IP>- netmask --> a range of public IP, or

global (outside) 1 --> served as PAT

nat (inside) 1 0.0.0.0 0.0.0.0 --> allowed all internal subnet

nat (inside) 1

Rgds,

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card