Simple routing without firewalling on inside interface

dbrajort1 — Tue, 12 Mar 2019 07:35:49 GMT

Hi,

I have the following problem :

In my datacenter I have an Internet gateway, my ASA, a local network and another gateway to my private network (MPLS).

The gateway to my network is on the inside network of the ASA.

I also have a lot of servers on the same inside network.

So, the ASA inside network, the MPLS gw and the servers are on the same network (192.168.2.0/24)

The ASA is the default router for my servers.

I can't get a connection from any client in the MPLS network to my servers.

I tracked down the problem and I think that the problem is the following:

When a TCP connection is initiated from my servers, it goes to the ASA then to the MPLS.

But when the ACK comes back from the MPLS, it goes directly to the server, so the ASA tears down the connection.

Same thing the other way around.

My servers can ping to the MPLS (ICMP is stateless) but clients from the MPLS can't ping the servers.

In my lab, I tried using a third interface for the MPLS and everything works fine.

I also changed the default router to be the MPLS gw and it also works fine.

But, in the real world, I have no control over both gateways so I can't change the networking settings.

I'm not allowed to use the MPLS gateway as default router for my servers.

And changing all the my servers IP is not an acceptable solution.

The question is : is there a way to simply route the packets from the inside LAN to the MPLS network without inspecting them at all ?

Thanks,

David

Hi David,

Aditya Ganjoo — Fri, 08 Apr 2016 14:58:45 GMT

Hi David,

You can go for TCP state bypass:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html

This will stop inspecting the traffic on the inside interface for your MPLS.

Regards,

Aditya

Please rate helpful posts and mark correct answers.