topic Static Route Issue in Network Security

Static Route Issue

DurableJoe — Mon, 11 Mar 2019 22:48:11 GMT

I have an ASA 5510 running 8.2(1) that I recently purchased and installed.

To give you an overview of our network layout, we have 3 remote offices. Our main office is 10.0.0.0/24. The ASA 5510 is 10.0.0.1. Right now I have a VPN router that the ASA 5510 will eventually be taking the place of at 10.0.0.3. It does a VPN tunnel to 10.0.5.0/24. I have an MPLS router at 10.0.0.2 that connects to the other remote office (10.0.3.0/24). I am also trying to get the ASA 5510 to do a vpn tunnel to 10.0.4.0/24 which has an ASA 5505 in place, but before I try and figure out why that is not working, I want to resolve this static route issue.

The ASA 5510 is working fine for us to get out on the internet from the 10.0.0.0/24 network, it is set as our default gateway on our client machines. However, I cannot ping or in any way see anything on our remote networks from any client on the 10.0.0.0/24 network that uses the ASA 5510 as the default gateway. I can however ping the remote equipment from the CLI interface on the ASA 5510, so I think I have my static routes just fine. It makes me think it is an access list issue or some other command I am missing to keep the thing from blocking the traffic.

Thanks so much to anyone who is willing to point me in the right direction. My brain is just about mush.

Static Route Issue

Jouni Forss — Thu, 29 Mar 2012 06:38:01 GMT

Hi,

The following command(s) came to mind first as I didnt find them on the configuration attached. You traffic is entering and leaving the same interface so you'll need one of the below configurations.

From Cisco material

same-security-traffic

To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Syntax Description


inter-interface	Permits communication between different interfaces that have the same security level.
intra-interface	Permits communication in and out of the same interface.

Defaults

This command is disabled by default.

Usage Guidelines

Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:

•You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).

•You can allow traffic to flow freely between all same security interfaces without access lists.

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the adaptive security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the adaptive security appliance and then out again to the other spoke.

Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the adaptive security appliance.

Examples

The following example shows how to enable the same-security interface communication:

hostname(config)# same-security-traffic permit inter-interface

The following example shows how to enable traffic to enter and exit the same interface:

hostname(config)# same-security-traffic permit intra-interface

Hope this helps

- Jouni

Static Route Issue

DurableJoe — Thu, 29 Mar 2012 13:11:02 GMT

That is a great suggesting, and I tried it, but it didn't solve the problem. Still can't ping from a client, but can from inside the device.

Static Route Issue

Jouni Forss — Thu, 29 Mar 2012 14:18:58 GMT

Hi,

The above quoted text mentions that the traffic is still subject to normal firewall rules.

Can you make sure that you have permitted ICMP from the interface that has the routes to the remote network.

Can you also check that you have the following inspect configured

policy-map global_policy

class inspection_default

inspect icmp

The "inspect icmp" line basicly simplifies the ICMP handling with the firewall. You wont have to use access-list in both directions to get the ICMP working. Atleast thats how I understood it.

Doesnt seem you have that configured in the attached ASA configuration. Though I'm not sure if its needed in the way your traffic is going. But I'm sure it wont hurt adding the "inspect icmp" anyway.

PS.

Why does both your routes have the same gateway address? Wasn't the other network supposed to be reached from 10.0.0.2 and not 10.0.0.3?

- Jouni