ASA 5510 with double interfaces, connections fail.
Good day guys,
I have scratched my head until bleeding with the following issue which I can’t seem to resolve. We have an ASA 5510 with 2 interfaces one for voice and the other for data on the inside and on the outside. Please refer to the attached diagram and configuration.
On the router before the switch, I have routed all voice traffic to use the “inside voice” and all data traffic to use the “inside data” interfaces of the ASA as the next hop. On the ASA I have routed the outgoing and my subnets accordingly.
If I have traffic going from the “inside voice” to “outside voice” and “inside data” to “outside data” everything works like a champ. However if I have traffic going from “inside data” to “outside voice” or “inside voice” to “outside data”, the applications do not connect. Sometimes I see a “Routing Failed” message and most of the times I see a “Deny (no connection)”.
Routing failed to locate next hop for TCP from WAN_DATOS:a.x.10.5/22 to LAN_DATOS:192.168.17.236/1102
Deny TCP (no connection) from b.x.248.37/61440 to 192.168.17.236/13926 flags RST ACK on interface WAN_VOZ
I have made a packet capture from the ASA and I see a bunch of RST, ACK on the “inside” and SYN on the “outside”
I know for a fact that if the routing is done to correspond with the interfaces the applications on those subnets start to work but the others fail.
I have tried the “same-security-traffic permit intra-interface” and “same-security-traffic permit inter-interface” and did not work either.
Any help would be appreciated.
ip address 10.116.129.10 255.255.255.252
ip address 192.168.47.220 255.255.255.0
ip address 10.116.129.14 255.255.255.252
ip address 192.168.44.55 255.255.255.0
object network OPS-NET-17-5
subnet 192.168.17.128 255.255.255.224
object network DATA-NET
subnet a.x.10.0 255.255.255.0
object network DATA-NET2
subnet a.x.14.0 255.255.255.0
object network DATA-NET3
subnet a.x.173.0 255.255.255.0
object network NAT_DATA_13
object-group network DM_INLINE_NETWORK_1
network-object b.x.248.0 255.255.255.192
network-object b.x.252.0 255.255.255.192
network-object host b.x.10.5
network-object host b.x.14.27
object-group network DM_INLINE_NETWORK_3
network-object 192.168.121.0 255.255.255.0
network-object 192.168.44.0 255.255.255.0
network-object 192.168.17.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object object DATA-NET
network-object object DATA-NET2
network-object object DATA-NET3
access-list WAN_VOZ_access_in extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_3
access-list LAN_VOZ_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any
access-list LAN_DATOS_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any
access-list WAN_DATOS_access_in extended permit ip object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_NETWORK_3
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...