Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Routing issued with pix firewall

The detailed network diagram is attached. the default gateway of the inside servers is ASA 5520.

PROBLEM:

Traffic coming from XYZ Branch to the scorpio and alpha server when reach the server, they send back the packet to their gateway which is ASA 5520. traffic when coming to asa is dropped and not reaching back to XYZ LAN.

however following configuration tasks have been done on pix firewall.

1. the static route is configured on ASA 5520 that the traffic destined to the lan of XYZ site, the next hop will be 172.25.1.200 which is router fast ethernet interface.

2.the access-list is configured on the inside of pix firewall allowing all the traffic originating from inside and destined to the XYZ Branch LAN.

3. the nat 0 is configured for the traffic originating from insdie of pix firewall to the XYZ site LAN

Question:

what configuration task has to be configured on pix firewall or other devices to sort out this routing issue.

4 REPLIES

Re: Routing issued with pix firewall

Ignore this post, got your network configuration muddled up and assumed the ASA was at XYZ site.

Can you upload your ASA configs by any chance?

New Member

Re: Routing issued with pix firewall

i am sending u the config of asa. i have removed the public ip addresses.please go through.

Hall of Fame Super Blue

Re: Routing issued with pix firewall

I am slightly confused here. If the clients on xyz LAN initiate a connection to the Alpha and Scorpio servers their traffic will go from the remote site through the central site router and out onto the 172.251.x subnet to the servers i. they won't go to the ASA device.

When the servers reply they go to the ASA and the reply is a syn/ack response. The ASA will drop this because it has no corresponding SYN packet in it's state table as the original connection didn't go through it.

Have i misuunderstood your setup ??

Jon

Hall of Fame Super Blue

Re: Routing issued with pix firewall

Forgot to mention. if that is the problem then you have two options really.

1) If you have no need to firewall the remote xyz clients for access to the servers then you can add routes to the relevant servers for the remote xyz subnet(s) pointing to the fast ethernet interface on your central site router.

2) if you do need to firewall you will have to create a separate subnet which connects your fast ethernet interface on your HQ router to an interface on the ASA. That way remote traffic from xyz subnet will have to go through the ASA device before it gets to the servers.

HTH

103
Views
5
Helpful
4
Replies
CreatePlease to create content