10-26-2009 09:33 AM - edited 03-09-2019 10:40 PM
Hello, New to ASA
On an ASA5505 v7.2(4), I am trying to allow traffic between two local networks.
I have the local network 192.168.1.0 and a subnet 192.168.2.0 behind another router. I also have IPsec VPN on the security appliance.
When I connect a computer to the internet in the first network (192.168.1.0) using the ASA, this computer lost connection to the subnet (192.168.2.0). The ASA is blocking all the traffic through the networks.
I applied the command same-security-traffic permit intra-interface. I also applied the command
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0, and added the static route: route inside 192.168.2.0 255.255.255.0 192.168.1.254 1, but nothing works.
When I ICMP echo, the Nat is dropping the requested package.
The packet tracer output is as follows:
Flow-Lookup allowed
Route-Lookup allowed
Access-list allowed
IP-Options allowed
Inspect allowed
Nat-exempt allowed
Nat allowed
Nat allowed
Host-limit allowed
Nat denied
The packet has been dropped by NAT, and it is the same for the port 3389 (remote desktop).
Thank you in advance.
Solved! Go to Solution.
10-26-2009 11:19 AM
So you are trying to hair ping traffic on the inside interface?
In general that is not good practice. If traffic needs to be routed before the ASA make sure the RTR router the traffic from one subnet to the other. The ASA doesn't need to see traffic that goes from inside to inside.
Now if you still insist on doing that you can try putting in translations for the src and the destination. In other words you need to identity translate the 192.168.1.0/24 and 192.168.2.0/24. You are nat exempting one way but not the return.
Can you try
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
And then you can run a packet tracer again to see if it would fail or not.
I hope it helps.
PK
10-26-2009 11:19 AM
So you are trying to hair ping traffic on the inside interface?
In general that is not good practice. If traffic needs to be routed before the ASA make sure the RTR router the traffic from one subnet to the other. The ASA doesn't need to see traffic that goes from inside to inside.
Now if you still insist on doing that you can try putting in translations for the src and the destination. In other words you need to identity translate the 192.168.1.0/24 and 192.168.2.0/24. You are nat exempting one way but not the return.
Can you try
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
And then you can run a packet tracer again to see if it would fail or not.
I hope it helps.
PK
10-26-2009 12:42 PM
I am trying to do this as simple as possible. In the ASA added the static route: route inside 192.168.2.0 255.255.255.0 192.168.1.254 1, and in my computer (192.168.1.153) set the default route to the ASA's IP address 192.168.1.252 so this ASA can route the traffic that goes to the Internet and the traffic that goes to the subnet using the internal RTR, but then the ASA dropped the traffic that goes to the subnet. Can you tell me how can I avoid the ASA for the traffic that goes from inside to inside? The internal Router RTR is routing the traffic from one subnet to the other. The problem is I do not have password for this router.
Thank you in advance.
10-26-2009 02:43 PM
Hair pinning on the ASA is not a good idea:
host1----RTr-----ASA
|
host2-----
Bad idea: host1>RTR>ASA>RTRhost2
Good idea: host1>RTR>host2
The reason is that the ASA needs advanced natting that could include caveats and also the ASA doesn't send icmp redirects so the loop will need to happen for all traffic.
On the contrary having RTR route between the 2 subnets is the best idea.
I hope it makes sense.
PK
10-27-2009 09:45 AM
Hi PK,
Thanks for the reply.
If I have this configuration on host1
host1>RTR>host2
Host1 is not going to have Internet access through the ASA, so I need this
host1>RTR>host2
|
|
|----> ASA -> Internet
But I do not know how to configure host1 to do this. One option should be add both routers to host1:
default gateway 192.168.1.254 (RTR)
192.168.1.252 (ASA)
but I do not if this is correct.
Thanks in advance.
10-27-2009 03:50 PM
If the RTR is between the ASA and the host1 and host2 then the router can do the routing.
Default gw of the router will be the ASA (so the host has the RTR as GW and the RTR will send to the ASA for internet).
When h1 wants to go to h2 it will send it to the RTR and the RTR will send to host2 since it has a route to it, without sending to the ASA.
I think it is clear now.
PK
10-28-2009 08:51 AM
Thank you for the reply.
Now thinks are clear for me. The problem is I do not have password for the router. Your first response works for me, then I am going to figure out how to reset the password.
Thank you, I really appreciate your help.
RC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide