I am having problems connecting to different networks which are connected on the same interface.
Port 0/0 - Internet
Port 0/1 - Connected to LAN (member of vlan 1)
Port 0/2 - Connected to Branch Router(member of vlan 1)
Vlan 1 - 192.168.0.1
Branch Router IP address - 192.168.0.4
whenever I want to connected to remote location I have to add manually route on the machine to reach the remote network with 192.168.0.4
Did anyone faced similar issue?
If yes please let me how this can be resolved.
Surprising part is that I am able to ping the remote branch but not able to access any applications/resources.
Assuming that 192.168.0.1 is a Cisco router, add the following command in 192.168.0.1
ip route 192.0.0.0 255.255.0.0 192.168.0.4
1)Please run the following command in a computer which has the gateway IP of 192.168.0.1, and paste here the result
2)Please run the following command in ASA and paste the results here
packet-tracer input inside tcp 192.168.0.5 3389 18.104.22.168 3389 detailed
I am assuming that router, firewall and host computer are connected in a share media switch or hub.
U have two ways to achieve your goal, one is add the layer 3 switch and define routes in it, one default route that points towards Firewall 192.168.0.1 that route takes the client to internet and one static route 192.168.0 0 255.255.0.0 which points towards the router interface 192.168.0.4.
If u dont have switch with routing capabilities manually add the route in host computer one default route and on static route that points towards 192.168.0.4.
Please rate if this is helpful
I had thought of this earlier.
But somehow I dont find doing this comfortable.
Doing this would mean that ASA is not supporting
"same-security-traffic permit intra-interface" command.
Here, we must understand that the routing capabilities of a ASA is limited compared to a router. Initially a PIX would not allowed a packet to leave an interface on the same
interface that they came in. This was improved by adding the "same-security-traffic permit intra-interface" command, wich i assume you are using. But this does not resolve everything,
because the ASA does not reroute the packet the way a router would , it creates a connection the same way it would if the packet leave the outside interface.Your problem is that
the returning packet doesn't get back to the ASA.
Let see with an example;
192.168.0.100 makes a tcp connection on 22.214.171.124. The SYN hits the ASA wich opens a connection , then route the packet to the MPLS router at 192.168.0.4.
But the returning SYN packet goes directly to the PC 192.168.0.100 because it is Directly Connected to the router. Then the PC sends the ACK to the ASA ( the default gateway)
but it is refused because the ASA never saw the returning SYN . So your TCP connection dies here.
One solution could be to create a sub-interface on the inside interface, configure it on a /22 subnet , put the MPLS router in this subnet and create a static route in the MPLS router for your
inside network. This way it would force all returning traffic to go through the ASA.