https://community.cisco.com/t5/network-security/asa-routing/m-p/1440005#M733145 <HTML><HEAD></HEAD><BODY><P>Perhaps when the traffic reaches the ASA, there's a NAT rule and the ASA is expecting a corresponding NAT rule to translate that IP.</P><P></P><P>I see two options to try:</P><P>NAT the traffic, i.e</P><P>nat (outside) 1 IP_of_DMZ_server 255.255.255.2555</P><P>global (outside) 1 interface</P><P></P><P>Or, disable NAT Control?</P><P></P><P>Federico.</P></BODY></HTML> Thu, 03 Jun 2010 20:32:21 GMT Federico Coto Fajardo 2010-06-03T20:32:21Z https://community.cisco.com/t5/network-security/asa-routing/m-p/1440002#M733111 <P>I have dual firewalls on either end of my DMZ and would like for my DMZ hosts to serve up content to <SPAN style="text-decoration: underline;">both</SPAN> internal and public users. My issue is that I'm not sure how to simplify the routing.</P><P>I have my DMZ host with a default gateway of the public firewall (192.168.2.1, per the diagram) which allows it to serve up pages externally. I am currently using static routes defined on the DMZ host (ie. route 192.168.1.0/24 has a gateway of 192.168.2.251) which works fine. I'd like to do away with static routes and have the public firewall reroute the traffic. Traffic from the DMZ host to the internal network should, in my mind, travel:<BR />DMZ Host (192.168.2.10)<BR />Default Gateway (192.168.2.1 / public firewall)</P><P>Inside firewall (192.168.2.251)</P><P>Inside host (192.168.1.x)</P><P></P><P>How do I go about setting this up?</P><P></P><P>Thanks,</P><P>Greg</P> Mon, 11 Mar 2019 17:54:38 GMT https://community.cisco.com/t5/network-security/asa-routing/m-p/1440002#M733111 gregbeifuss 2019-03-11T17:54:38Z https://community.cisco.com/t5/network-security/asa-routing/m-p/1440003#M733124 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To be able to allow the ASA to reroute traffic backout the same interface in which it received it you need this:</P><P></P><P>same-security-traffic permit intra-interface</P><P></P><P>If routing is correct, then when the internet-facing firewall receives from the ''inside'' interface traffic intended to the internal LAN, then it will u-turn the traffic and reroute it back to the ''inside'' interface (same interface in which it received the traffic).</P><P></P><P>Is this what you're looking for?</P><P></P><P>Federico.</P></BODY></HTML> Thu, 03 Jun 2010 19:10:58 GMT https://community.cisco.com/t5/network-security/asa-routing/m-p/1440003#M733124 Federico Coto Fajardo 2010-06-03T19:10:58Z https://community.cisco.com/t5/network-security/asa-routing/m-p/1440004#M733131 <HTML><HEAD></HEAD><BODY><P>I should have mentioned that I already have the same-security-traffic permit intra-interface statement in my configuration.</P><P></P><P>When I use the packet tracer, the packet is dropped during a NAT phase by the rpf-check.</P></BODY></HTML> Thu, 03 Jun 2010 20:29:40 GMT https://community.cisco.com/t5/network-security/asa-routing/m-p/1440004#M733131 gregbeifuss 2010-06-03T20:29:40Z https://community.cisco.com/t5/network-security/asa-routing/m-p/1440005#M733145 <HTML><HEAD></HEAD><BODY><P>Perhaps when the traffic reaches the ASA, there's a NAT rule and the ASA is expecting a corresponding NAT rule to translate that IP.</P><P></P><P>I see two options to try:</P><P>NAT the traffic, i.e</P><P>nat (outside) 1 IP_of_DMZ_server 255.255.255.2555</P><P>global (outside) 1 interface</P><P></P><P>Or, disable NAT Control?</P><P></P><P>Federico.</P></BODY></HTML> Thu, 03 Jun 2010 20:32:21 GMT https://community.cisco.com/t5/network-security/asa-routing/m-p/1440005#M733145 Federico Coto Fajardo 2010-06-03T20:32:21Z https://community.cisco.com/t5/network-security/asa-routing/m-p/1440006#M733158 <HTML><HEAD></HEAD><BODY><P>Also, on previous releases there was a limitation with u-turning the traffic because it was only used on encrypted traffic.</P><P>For example, to terminate the VPN tunnel and then redirect it either trough another tunnel (encrypted) or in the clear to the Internet.</P><P></P><P>I have not tested myself if it works now on receiving clear text and sending it back as clear text.</P><P></P><P>Federico.</P></BODY></HTML> Thu, 03 Jun 2010 21:02:56 GMT https://community.cisco.com/t5/network-security/asa-routing/m-p/1440006#M733158 Federico Coto Fajardo 2010-06-03T21:02:56Z https://community.cisco.com/t5/network-security/asa-routing/m-p/1440007#M733179 <HTML><HEAD></HEAD><BODY><P>Thanks for your comment on the u-turning not working properly. No matter which NAT rule I write, the rpf-check drops me everytime. I'm using 8.2.2 and I'll just leave in the static route entries for now.</P></BODY></HTML> Fri, 04 Jun 2010 14:41:28 GMT https://community.cisco.com/t5/network-security/asa-routing/m-p/1440007#M733179 gregbeifuss 2010-06-04T14:41:28Z