topic Re: Routing problem - ASA in Network Security

Routing problem - ASA

cisco_lite — Mon, 11 Mar 2019 14:42:20 GMT

hi,

I am not able to ping to management interface of ASA from one of the vlans on the inside. Reason is that the route back to my PC takes a different path due to route definition in the routing table of ASA. This route enables internet access. However, when I remove the route and add another route to my PC via different hop (management vlans gateway), ping goes through. But then internet access fails due to lack of related route.

In absence of Policy based routing how can I achieve both the connectivity.

Thanks.

Re: Routing problem - ASA

pstebner10 — Mon, 26 Jan 2009 21:46:47 GMT

Can you post a partial config showing your interface/vlan defs, your acls, your nat/global statements and your route(s)?

Re: Routing problem - ASA

cisco_lite — Mon, 26 Jan 2009 21:55:20 GMT

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

interface Management0/0

duplex full

nameif management

security-level 50

ip address 20.0.0.11 255.255.255.0 standby 20.0.0.12

management-access management

route inside 10.1.1.0 255.255.255.0 192.168.180.3

route outside 0.0.0.0 0.0.0.0 86.192.54.13

-------------

My PC ip is 10.1.1.99 from where ping to 20.0.0.11 is initiated. If I remove the command 'route inside 10.1.1.0 255.255.255.0 192.168.180.3' and instead put in 'route inside 10.1.1.0 255.255.255.0 20.0.0.1' which is the gateway on management interface then ping is successful but then the default internet traffic gets routed back through management subnet and not 192.168.180.3 and hence packets are dropped.

Re: Routing problem - ASA

pstebner10 — Tue, 27 Jan 2009 14:57:08 GMT

From your config I still can't get a good picture of what your network looks like. Can you post the whole config and maybe a brief topology overview? I'm wondering if there is some other L3 device that you could use for routing inside, as firewalls are not necessarily the most efficient routers.

Re: Routing problem - ASA

hunnetvl01 — Tue, 27 Jan 2009 15:11:12 GMT

Is this a switch there ?

192.168.180.3

If yes can you copy teh routes here?

Vlad

Re: Routing problem - ASA

Tshi M — Tue, 27 Jan 2009 15:47:54 GMT

please post a jpg of your topology and also any L3 devices' configuration? It is hard to grasp a clear picture of your environment.

Regards,

Re: Routing problem - ASA

cisco_lite — Tue, 27 Jan 2009 18:22:23 GMT

Topology:

INSIDE VLAN -> FWSM -> MSFC -> ASA2 -> ASA1

MSFC is also directly connected to ASA1 Management Interface i.e. Vlan20 SVI on MSFC.

I am not able to ping the management IP of ASA1 from INSIDE VLAN.

192.168.180.3 is the SVI on MSFC.

ASA1 Management IP belongs to a VLAN defined on MSFC i.e. VLAN20 (management VLAN) so it does 'not' go through ASA2. MSFC VLAN20 and ASA1 management interface are L2 adjacent.

When I ping ASA1 management ip from INSIDE VLAN, the route is

One-way Traffic Flow

INSIDE VLAN gateway (FWSM) -> MSFC SVI connected to FWSM OUTSIDE -> MSFC SVI (VLAN20) -> ASA1 Management Interface

Return Traffic Flow

ASA1 INSIDE interface (because the route to INSIDE VLAN is driven through ASA1 INSIDE interface to support normal internet traffic) -> ASA2 OUTSIDE (And the packet drops because of stateful nature of the firewalls - asymmetric routing takes place)

Please assist.

Thanks.

Re: Routing problem - ASA

Jon Marshall — Tue, 27 Jan 2009 18:53:33 GMT

Inside vlan = vlan 10 - 10.1.1.0/24

access-list 101 permit ip 10.1.1.0 0.0.0.255 host 20.0.0.11

int vlan 10

ip nat inside

int vlan 20

ip nat outside

ip nat inside source list 101 interface vlan 20 overload

Jon

Re: Routing problem - ASA

cisco_lite — Sat, 07 Feb 2009 17:46:50 GMT

hi Jon,

With the given solution, ping from vlan10 to vlan20 works but not the other way round.

When I disabled the natting ping from vlan20 to vlan10 works.

How can I achieve bi-directional communication with natting enabled as mentioned in your post.

Thanks.

Re: Routing problem - ASA

Jon Marshall — Mon, 09 Feb 2009 18:32:45 GMT

If you want to have bidirectional NAT then you can't use dynamic NAT, you will have to use statics translations. So for each 10.1.1.x host you want to be able to ping from the ASA management interface you would need to setup the following -

1) You need a spare IP address to present each 10.1.1.x address to the ASA. This can either be from the 20.0.0.x network

you can use a totally new network that is unused but you then need to add a route to the ASA. Lets say you choose 192.168.10.0/24

route (inside) 192.168.10.0 255.255.255.0 20.0.0.1

Lets assume you use spare addresses from 20.0.0.x network.

int vlan 10

ip nat inside

int vlan 20

ip nat outside

ip nat inside source static 10.1.1.99 20.0.0.99 route-map PNAT

access-list 101 access-list 101 permit ip 10.1.1.0 0.0.0.255 host 20.0.0.11

route-map PNAT permit 10

match ip address 101

etc.. for each 10.1.1.x address you want to be able to NAT from the ASA.

Jon

Re: Routing problem - ASA

cisco_lite — Mon, 09 Feb 2009 20:03:13 GMT

Thanks Jon.

One more query...Could you please let me know whether source address nat'ing is supported in FWSM 3.2

I am struggling to find materials/command to do source address nat'ing (on the network) in FWSM.

For e.g. I would like to NAT the source address of packet when originated from one interface/subnet (such as 2.0.0.x/24) and routed out another interface to 30.0.0.x/24 network. 30.0.0.x/24 network may be couple of hops aways from the out interface.

THe requirement to do this NAT bi-directionally.

Please assist.

Thanks.

Re: Routing problem - ASA

Jon Marshall — Mon, 09 Feb 2009 20:18:01 GMT

Source natting is definitely supported on the FWSM.

It doesn't matter how many hops away the destination is.

Assuming 2.0.0.x is on the inside interface of the FWSM and that the 30.0.0.x/24 network is reachable via the outside interface of the FWSM -

1) If you want to present the internal addresses to the outside as the same addresses -

static (inside,outside) 2.0.0.0 2.0.0.0 netmask 255.255.255.0

Note that whatever device the 30.0.0.0/24 subnet is routed off that device will need to know where to go to get back to the 2.0.0.0/24 network.

2) If you want to present the 2.0.0.x addresses as different addresses

static (inside,outside) 5.0.0.0 2.0.0.0 netmask 255.255.255.0

Again devices on the outside of the FWSM will need to know how to route to the 5.0.0.x network which should be routed to the outside interface of the FWSM.

Jon

Re: Routing problem - ASA

cisco_lite — Thu, 12 Feb 2009 20:12:05 GMT

I tried option 2 but I don't see the source address being NAT'ed.

Static entry (host level only):

static (inside,outside) 5.0.0.99 2.0.0.99 netmask 255.255.255.255

Debug log at the outgoing router:

.Feb 12 20:07:27.327: IP: tableid=0, s=2.0.0.99 (GigabitEthernet0/0), d=10.0.0.4 (GigabitEthernet0/0), routed via RIB

10.0.0.4 is the router ethernet.

Re: Routing problem - ASA

cisco_lite — Tue, 17 Feb 2009 14:08:48 GMT

I am now running a sniffer trace on the outside interface of FWSM connected to the router. And I still see the unnat'ed actual source ip going out on ping requests.

Is there any thing else other than the static entry in FWSM required for source address NAT'ing.

Such a simple thing...I don't know what is missing ? Its been week I am trying to get source NAT'ing done on FWSM.

Please assist.

Thanks a lot.

Re: Routing problem - ASA

Jon Marshall — Tue, 17 Feb 2009 15:47:39 GMT

Sorry, i missed your follow up on this.

Can you post

1) all the NAT config relevant to inside and outside interfaces.

2) IP address you are coming from on the inside.

3) Output of "sh xlate"

Jon

Re: Routing problem - ASA

cisco_lite — Tue, 17 Feb 2009 16:44:30 GMT

Thanks for returning on this.

There is only one static NAT entry

static (inside,outside) 5.0.0.99 2.0.0.99 netmask 255.255.255.255

The IP address I am coming from on the inside is 2.0.0.99

The relevant sh xlate is

Global 2.0.0.99 Local 2.0.0.99

(Pls excuse me for not posting complete 'sh xlate' output)

So it is not getting NAT'ed to 5.0.0.99

Re: Routing problem - ASA

Jon Marshall — Tue, 17 Feb 2009 22:13:28 GMT

Do you have any other NAT statements ie. not just static entries on the inside. Key thing is do you have any nat exemption rules on the inside interface.

It could be that a nat rule is being used before your static entry.

The other thing is have you tried clearing that specific xlate entry

clear xlate 2.0.0.99 (syntax may need changing for FWSM)

Jon