Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
891
Views
0
Helpful
6
Replies

Cannot access subnet

Go to solution
rafaelcervantes
Level 1
Level 1

‎10-26-2009 09:33 AM - edited ‎03-09-2019 10:40 PM

Hello, New to ASA

On an ASA5505 v7.2(4), I am trying to allow traffic between two local networks.

I have the local network 192.168.1.0 and a subnet 192.168.2.0 behind another router. I also have IPsec VPN on the security appliance.

When I connect a computer to the internet in the first network (192.168.1.0) using the ASA, this computer lost connection to the subnet (192.168.2.0). The ASA is blocking all the traffic through the networks.

I applied the command same-security-traffic permit intra-interface. I also applied the command

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0, and added the static route: route inside 192.168.2.0 255.255.255.0 192.168.1.254 1, but nothing works.

When I ICMP echo, the Nat is dropping the requested package.

The packet tracer output is as follows:

Flow-Lookup allowed

Route-Lookup allowed

Access-list allowed

IP-Options allowed

Inspect allowed

Nat-exempt allowed

Nat allowed

Nat allowed

Host-limit allowed

Nat denied

The packet has been dropped by NAT, and it is the same for the port 3389 (remote desktop).

Thank you in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-26-2009 11:19 AM

So you are trying to hair ping traffic on the inside interface?

In general that is not good practice. If traffic needs to be routed before the ASA make sure the RTR router the traffic from one subnet to the other. The ASA doesn't need to see traffic that goes from inside to inside.

Now if you still insist on doing that you can try putting in translations for the src and the destination. In other words you need to identity translate the 192.168.1.0/24 and 192.168.2.0/24. You are nat exempting one way but not the return.

Can you try

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

And then you can run a packet tracer again to see if it would fail or not.

I hope it helps.

PK

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-26-2009 11:19 AM

So you are trying to hair ping traffic on the inside interface?

In general that is not good practice. If traffic needs to be routed before the ASA make sure the RTR router the traffic from one subnet to the other. The ASA doesn't need to see traffic that goes from inside to inside.

Now if you still insist on doing that you can try putting in translations for the src and the destination. In other words you need to identity translate the 192.168.1.0/24 and 192.168.2.0/24. You are nat exempting one way but not the return.

Can you try

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

And then you can run a packet tracer again to see if it would fail or not.

I hope it helps.

PK

0 Helpful

Go to solution
rafaelcervantes
Level 1
Level 1
In response to Panos Kampanakis

‎10-26-2009 12:42 PM

I am trying to do this as simple as possible. In the ASA added the static route: route inside 192.168.2.0 255.255.255.0 192.168.1.254 1, and in my computer (192.168.1.153) set the default route to the ASA's IP address 192.168.1.252 so this ASA can route the traffic that goes to the Internet and the traffic that goes to the subnet using the internal RTR, but then the ASA dropped the traffic that goes to the subnet. Can you tell me how can I avoid the ASA for the traffic that goes from inside to inside? The internal Router RTR is routing the traffic from one subnet to the other. The problem is I do not have password for this router.

Thank you in advance.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to rafaelcervantes

‎10-26-2009 02:43 PM

Hair pinning on the ASA is not a good idea:

host1----RTr-----ASA

|

host2-----

Bad idea: host1>RTR>ASA>RTRhost2

Good idea: host1>RTR>host2

The reason is that the ASA needs advanced natting that could include caveats and also the ASA doesn't send icmp redirects so the loop will need to happen for all traffic.

On the contrary having RTR route between the 2 subnets is the best idea.

I hope it makes sense.

PK

0 Helpful

Go to solution
rafaelcervantes
Level 1
Level 1
In response to Panos Kampanakis

‎10-27-2009 09:45 AM

Hi PK,

Thanks for the reply.

If I have this configuration on host1

host1>RTR>host2

Host1 is not going to have Internet access through the ASA, so I need this

host1>RTR>host2

|

|

|----> ASA -> Internet

But I do not know how to configure host1 to do this. One option should be add both routers to host1:

default gateway 192.168.1.254 (RTR)

192.168.1.252 (ASA)

but I do not if this is correct.

Thanks in advance.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to rafaelcervantes

‎10-27-2009 03:50 PM

If the RTR is between the ASA and the host1 and host2 then the router can do the routing.

Default gw of the router will be the ASA (so the host has the RTR as GW and the RTR will send to the ASA for internet).

When h1 wants to go to h2 it will send it to the RTR and the RTR will send to host2 since it has a route to it, without sending to the ASA.

I think it is clear now.

PK

0 Helpful

Go to solution
rafaelcervantes
Level 1
Level 1
In response to Panos Kampanakis

‎10-28-2009 08:51 AM

Thank you for the reply.

Now thinks are clear for me. The problem is I do not have password for the router. Your first response works for me, then I am going to figure out how to reset the password.

Thank you, I really appreciate your help.

RC

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents