Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
2
Replies

ASA Inside static routes

seanwaite
Level 1
Level 1

‎11-26-2013 11:02 AM

I have now 2 ASAs configured for static routes on the inside network. The first ASA goes to subnet 10.150.0.0 at 192.168.8.3. So I put in;

route inside 10.150.0.0 255.255.255.224 192.168.8.3 1

On the ASA I can ping 10.150.0.1. But anything on the same 192.168.8.0 subnet, using the ASA as the default gateway can NOT reach this other subnet via 192.168.8.3. I did a traceroute on a Windows machine, and first hop is 192.168.8.3, but then everything else times out. If I do traceroute from the ASA, then it will reach the 10.150.0.1 host.

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-26-2013 11:52 AM

Have you enabled "same-security-traffic intra-interface"? Reference.

0 Helpful

seanwaite
Level 1
Level 1
In response to Marvin Rhoads

‎11-26-2013 12:21 PM

Frustratingly yes. Below is believe all relevant parts of config, plus the results of ping and traceroute from a PC on same LAN

ASA Version 9.1(2)

!

hostname ASA5505

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.3 255.255.255.224

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

access-list 101 extended permit ip interface inside any4

!

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

!

object network obj-192.168.2.0

nat (inside,outside) dynamic interface

!

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

route inside 10.150.20.0 255.255.255.240 192.168.2.95 1

From any device on the 192.168.2.0 subnet, I get the following;

C:\Windows\system32>ping 10.150.20.2

Pinging 10.150.20.2 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 10.150.20.2:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\system32>tracert 10.150.20.2

Tracing route to 10.150.20.2 over a maximum of 30 hops

  1     2 ms     1 ms     1 ms  192.168.2.95

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

When I do ICMP debug on the router at 192.168.2.95 , I do see;

ICMP: echo reply sent, src 10.150.20.1, dst 192.168.2.7 (this is the router's inside interface IP)

Behind this router I put up another ASA (only thing I had available) and did ICMP debug there. When doing ping from laptop at 192.168.2.7, ASA shows me

ICMP echo reply from 10.150.20.2 to 192.168.2.7 ID=1 seq=616 len=32

ICMP echo request from 192.168.2.7 to 10.150.20.2 ID=1 seq=617 len=32

As for the sender, again I get Request Timed Out

I read where inter-vlan routing on ASA requires NAT statements, would this be the issue? Is there maybe some other security setting I missed?

Edit: Moderators, I realize posted this in wrong section, could this please be moved to appropriate section?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents