topic Re: Asa 5505 Base static route in Network Security

Asa 5505 Base static route

meadcity984 — Mon, 11 Mar 2019 19:12:04 GMT

I have an asa 5505 base model that I'm having problems with a static route. The inside network is 192.168.168.0/24 the inside interface is 192.168.168.1. There is a second gateway in the network that exists at 192.168.168.101. I need any traffic destined for the subnet 10.0.0.0/8 to go to the 101 gateway. All machines use the asa(192.168.168.1) as their gateway. I have 2 routes in the asa:

route outside 0.0.0.0 0.0.0.0 24.144.192.1 1

route inside 10.0.0.0 255.0.0.0 192.168.168.101 1

All machines are able to get on the internet, but none can reach the 10 network. When I try to ping the 10 network I get the following error:

Deny inbound icmp src inside:192.X.X.X dst inside:10.X.X.X (type 8, code 0)

I can however ping it from the asa itself. I tried adding the same-security-traffic permit intra-interface command to the config and still cannot ping from workstations but get a different error

portmap translation creation failed for icmp src inside:192.X.X.X dst inside:10.X.X.X (type 8, code 0)

I can't understand what I'm missing and am beginning to wonder if this is a base os restriction. I've attached my config

Thanks for any help.

Re: Asa 5505 Base static route

Federico Coto Fajardo — Fri, 19 Nov 2010 22:43:07 GMT

Brian,

The 192.168.168.x will reach 10.0.0.x by reaching the ASA and reroute back via the inside interface correct?

Try adding this command:

static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

And see if it works.

Probably this one:

static (inside,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

Let us know.

Federico.

Re: Asa 5505 Base static route

Deepak Sharma — Sun, 21 Nov 2010 07:52:30 GMT

Hi Brian,

Since you are running 8.2.1 there should have been an ICMP redirect by ASA and a route should be automatically injected on the client workstation for subnet 10.0.0.0 mask 255.0.0.0 GW 192.168.168.101. Sometimes a PC can ignore ICMP redirect packets because of firewall on PC or HIPS, in that case a packet will come to firewall and firewall will forward the packet to 192.168.1.68.101 and then reply will directly reach PC. This all should be fine till ICMP or UDP is used, however for TCP based traffic we need to have a TCP state bypass.

In your case, PC has default gateway set to firewall so first segment with SYN flag will reach firewall and firewall will forward it for 192.168.1681.101. However, a segment with SYN and ACK flags set will directly reach PC from 192.168.168.101 as it will have MAC address of host resolved via ARP; so next segment from PC with ACK flag set coming to ASA will be dropped as there was no SYN-ACk seen by ASA. More details of feature can be found at

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf

Are you using ICMP itself to test the behavior or some TCP traffic. Let us know if it still does not work as per suggesgtion from Federico and enabling TCP state bypass.

Regards,

-Deepak

Re: Asa 5505 Base static route

meadcity984 — Mon, 22 Nov 2010 14:20:49 GMT

Adding both of the static NAT's took care of it. Thanks

Re: Asa 5505 Base static route

goodwin-j — Mon, 29 Nov 2010 21:49:58 GMT

Federico

Can you show the static route commands using the new NAT method in 8.3.2

Thanks

Jess