Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA as packet redirector

Hello! (Excuse for my English :)

We have a problem of realization of this scheme

LAN1(172.16.2.0/24)---

|

L3 Switch(192.168.1.2/24)---Packeteer---(192.168.1.1/24)ASA5540(PAT)---Internet

|

LAN2(172.16.3.0/24)---

ASA5540 SW ver 7.0(4).

Packeteer it`s aplication analyser, NetFlow generator. Work as bridge.

ASA has static routing:

route outside 0.0.0.0 0.0.0.0 y.y.y.y 1

route inside 172.16.0.0 255.255.0.0 192.168.1.2 10

Users from LAN1 and LAN2 have access and can PING to Internet successfully.

Ping from ASA to LAN1 is successfully.

Ping from ASA to LAN2 is successfully.

Ping from LAN2 to LAN1 is unreachable.

106014: Deny inbound icmp src inside:172.16.3.2 dst inside:172.16.2.2 (type 8, code 0)

It is necessary for us, what a ASA would be redirecting packages from one network in another, because packages should pass necessarily through a Packeteer

Whether it is possible to solve this problem?

6 REPLIES

Re: ASA as packet redirector

You might need to allow this traffic by using an access-list applied to the internal interface

access-list INSIDE_IN permit any any

access-group INSIDE_IN in interface inside

I hope it helps .. please rate it if it does !!!

New Member

Re: ASA as packet redirector

access-list outside_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

not work :(

106014: Deny inbound icmp src inside:172.16.2.2 dst inside:172.16.3.2 (type 8, code 0)

New Member

Re: ASA as packet redirector

access-list inside_access_in line 2 extended permit icmp any any => allowing icmp traffic from inside

Regards,

Arne

New Member

Re: ASA as packet redirector

no :( not work.

i think what ASA can not forward packet from inside to inside

New Member

Re: ASA as packet redirector

Oh, sorry. Was too quick with my answer.

Yes, indeed ASA and also PIX do no route U-turn/hair pinning if that`s what you intended. It is not designed to do that. You need a router.

Regards,

Arne

New Member

Re: ASA as packet redirector

I think you need the "intra-interface" parameter of the "same-security-traffic permit" command to allow traffic in and back out the same interface.

Just curious what you've done on the L3Switch to force traffic up to the ASA to stop the two LAN interfaces on L3Switch routing traffic directly between themselves. Did you use PBR?

121
Views
0
Helpful
6
Replies