04-21-2008 11:44 PM
I am having problems connecting to different networks which are connected on the same interface.
Port 0/0 - Internet
Port 0/1 - Connected to LAN (member of vlan 1)
Port 0/2 - Connected to Branch Router(member of vlan 1)
Vlan 1 - 192.168.0.1
Branch Router IP address - 192.168.0.4
whenever I want to connected to remote location I have to add manually route on the machine to reach the remote network with 192.168.0.4
Did anyone faced similar issue?
If yes please let me how this can be resolved.
Surprising part is that I am able to ping the remote branch but not able to access any applications/resources.
04-22-2008 12:30 AM
04-22-2008 02:14 AM
Hi Pankaj,
Assuming that 192.168.0.1 is a Cisco router, add the following command in 192.168.0.1
ip route 192.0.0.0 255.255.0.0 192.168.0.4
Regards
04-22-2008 02:19 AM
192.168.0.1 is cisco asa
192.168.0.4 is cisco router
04-22-2008 02:20 AM
you can check the n/w diagram for more details
04-22-2008 02:33 AM
I checked the diagram. Try my suggestion above.
04-22-2008 02:37 AM
04-22-2008 03:05 AM
1)Please run the following command in a computer which has the gateway IP of 192.168.0.1, and paste here the result
tracert 192.0.5.5
2)Please run the following command in ASA and paste the results here
packet-tracer input inside tcp 192.168.0.5 3389 192.0.5.5 3389 detailed
and
sh route
04-22-2008 04:10 AM
I am assuming that router, firewall and host computer are connected in a share media switch or hub.
U have two ways to achieve your goal, one is add the layer 3 switch and define routes in it, one default route that points towards Firewall 192.168.0.1 that route takes the client to internet and one static route 192.168.0 0 255.255.0.0 which points towards the router interface 192.168.0.4.
If u dont have switch with routing capabilities manually add the route in host computer one default route and on static route that points towards 192.168.0.4.
Please rate if this is helpful
04-22-2008 08:32 PM
Hi,
I had thought of this earlier.
But somehow I dont find doing this comfortable.
Doing this would mean that ASA is not supporting
"same-security-traffic permit intra-interface" command.
04-23-2008 09:58 AM
Here, we must understand that the routing capabilities of a ASA is limited compared to a router. Initially a PIX would not allowed a packet to leave an interface on the same
interface that they came in. This was improved by adding the "same-security-traffic permit intra-interface" command, wich i assume you are using. But this does not resolve everything,
because the ASA does not reroute the packet the way a router would , it creates a connection the same way it would if the packet leave the outside interface.Your problem is that
the returning packet doesn't get back to the ASA.
Let see with an example;
192.168.0.100 makes a tcp connection on 192.0.0.100. The SYN hits the ASA wich opens a connection , then route the packet to the MPLS router at 192.168.0.4.
But the returning SYN packet goes directly to the PC 192.168.0.100 because it is Directly Connected to the router. Then the PC sends the ACK to the ASA ( the default gateway)
but it is refused because the ASA never saw the returning SYN . So your TCP connection dies here.
One solution could be to create a sub-interface on the inside interface, configure it on a /22 subnet , put the MPLS router in this subnet and create a static route in the MPLS router for your
inside network. This way it would force all returning traffic to go through the ASA.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: