topic Issue with same interface ASA in Network Security

Issue with same interface ASA

Dmitri Popkov — Tue, 12 Mar 2019 02:36:07 GMT

Good day!

Can any one please give me some advice, how to solve this problem. In our topology i've

This is tunnel topology

(192.168.1.0/24) HQ with 2911 (GRE TUNNEL) (10.10.100.1) ---- (GRE TUNNEL) (10.10.100.1) Remote Office with 2901 (10.20.36.0/24)

Also in remote office i've ASA5505 - which is a default gateway for devices in remote office. Routing - is OK between offices, cause icmp goes without a problem. But when i try to ssh from HQ to remote office (another devices) - session didnt establish.

I've entered this command

same-security-traffic permit intra-interface

but nothig happens. Dont know where can be the problem, also i've applied this ACL -

access-list ALLOW_LAN extended permit ip any any

to inside interface, but it still didnt solve the problem

Can you point me, where can be the problem?

Issue with same interface ASA

Julio Carvajal — Tue, 10 Sep 2013 16:11:01 GMT

Hello,

From where to where are you trying to connect,

Provide a detail diagram specificing Source IP adresses and destination ip addresses

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Issue with same interface ASA

Dmitri Popkov — Fri, 13 Sep 2013 13:57:02 GMT

Here is my topology. So, where can be the problem? Can anyone tell please. Icmp packets from 192.168.1.0/24 to 10.20.36.0 goes with out ant problem, but all tcp, udp traffic doesn't...

Issue with same interface ASA

Jouni Forss — Sun, 15 Sep 2013 15:56:52 GMT

Hi,

Seems to me that you have Asymmetric routing. This will essentially result in the fact that the 10.20.36.0/24 site ASA will not see the complete TCP conversation between the host on the 2 sites. This will mean that the ASA will block these TCP connections because it has not seen all the packets when the TCP connections is brought up.

What I mean is that is that when host on network 192.168.1.0/24 connects to network 10.20.36.0/24 with a TCP connection the following happens

Host 192.168.1.100 connecs to host 10.20.36.100 by sending TCP SYN
The TCP SYN goes through the sites and arrives on the other sites Router which then forwards it directly to host 10.20.36.100
Host 10.20.36 sends TCP SYN ACK to its default gateway (ASA) because the destination is in a remote network (network other than the network where this host resides)
ASA sees the TCP SYN ACK from host 10.20.36.100 but as it has not seen the original TCP SYN from host 192.168.1.100 it drops the packet and the TCP connection never forms.

One solution would be to configure TCP State Bypass but to me this is more of a workaround which could instead be handled by modifying the whole network layout.

Here is a link to a document describing it

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

I would rather change the network setup so that I would connect the router 10.20.36.2 to the ASA firewall on that site. Naturally you would have to change the network between the Router and the ASA to something else. What this would do is that any traffic between networks 192.168.1.0/24 and 10.20.36.0/24 would have to always pass the ASA and you wouldnt run into the problem I mentioned above. This would naturally also give you the change to control the traffic between the sites better.

Hope this helps

- Jouni

Issue with same interface ASA

Dmitri Popkov — Mon, 23 Sep 2013 12:51:32 GMT

Yes, you are right. I've enabled TCP State Bypass and applied rull to internal hosts and problem was solved

Thank you