topic Re: ASA doesn't route the packet in Network Security

ASA doesn't route the packet

michelerossi — Mon, 11 Mar 2019 11:42:16 GMT

I have an ASA 5500 and it has a gateway of my Lan.

The asa rotates the packets destined to 2 remote nets toward a router cisco,through a chart of static routes.

The problem is that it only passes the ping toward the remote lan, while all the other protocols and sessions are blocked !!!!

Only ICMP packet are forwarding.

I have capture this message into the ASA log:

" 106015 192.168.10.14 192.168.13.13Deny TCP (no connection) from 192.168.10.14/21438 to 192.168.13.13/1720 flags RST on interface LAN.

Best Regards

Re: ASA doesn't route the packet

Collin Clark — Tue, 11 Dec 2007 18:14:39 GMT

Can you post a diagram with IPs?

Re: ASA doesn't route the packet

michelerossi — Wed, 12 Dec 2007 08:47:30 GMT

the attachments describe the network and Ip addresses assigned to the Cisco Routers and ASA.

Thanks

Re: ASA doesn't route the packet

Alan Huseyin Kayahan — Wed, 12 Dec 2007 08:49:32 GMT

If this was a routing issue, you would have the following log in syslog

No route to host 192.168.13.13

This looks like an ACL issue. Is 192.168.10.14 in your inside network (inside interface)? And where is 192.168.13.13 located? DMZ interface?

Re: ASA doesn't route the packet

Alan Huseyin Kayahan — Wed, 12 Dec 2007 08:59:40 GMT

Michael

IP adresses in diagram and in you post do not match. Can you correct please?

Also please run

sh run access-group

access-group xxxx in interface inside

If you see a line like above, (xxxx is your acl name) please send the output of

sh run access-list xxxx

Re: ASA doesn't route the packet

michelerossi — Wed, 12 Dec 2007 09:37:06 GMT

sorry

but this is the correct message:

106015 172.31.0.14 172.29.0.14 Deny TCP (no connection) from 172.31.0.14/21438 to 172.29.0.14/1720 flags RST on interface LAN.

My first message was correlate to another ASA Log message, where I've the same problem.

Re: ASA doesn't route the packet

Alan Huseyin Kayahan — Wed, 12 Dec 2007 09:47:06 GMT

Thanks

So can you please post the output of following commands

sh run access-group

access-list xxxx in interface LAN

(xxxx is the name of your ACL)

sh run access-list xxxx

Re: ASA doesn't route the packet

michelerossi — Wed, 12 Dec 2007 10:17:00 GMT

Sent the attachment.

Re: ASA doesn't route the packet

Alan Huseyin Kayahan — Wed, 12 Dec 2007 10:30:14 GMT

Thanks. Please post the output of following also

packet-tracer input tcp LAN 172.31.0.14 21438 172.29.0.14 1720 detailed

Re: ASA doesn't route the packet

michelerossi — Wed, 12 Dec 2007 10:52:57 GMT

See the attach

Re: ASA doesn't route the packet

Alan Huseyin Kayahan — Wed, 12 Dec 2007 11:15:28 GMT

According to packet trace, ASA allows the flow, nothing wrong with ASA. And as I see RST statement in syslog, I suspect the remote client. Maybe restarting the client may work, do you encounter the same issue when you try to reach another client again in that subnet too?

Re: ASA doesn't route the packet

michelerossi — Wed, 12 Dec 2007 11:25:23 GMT

I've got the same issue to reach all clients of all remote networks, include the Lan ip address routers.

The ASA version is 8.0.(2).

If I do a traceroute from ASDM Tools from the Lan to the 172.29.0.0 or 172.30.0.0, it function only if I flag "use ICMP" button

Also I've the same problem into another client with the same ASA (version 8.0.(3)).

Re: ASA doesn't route the packet

Alan Huseyin Kayahan — Wed, 12 Dec 2007 13:06:17 GMT

what happens when you temporarily add

access-list LAN_access_in permit ip any any

Re: ASA doesn't route the packet

michelerossi — Wed, 12 Dec 2007 13:55:19 GMT

The same thing.

Re: ASA doesn't route the packet

Alan Huseyin Kayahan — Fri, 14 Dec 2007 11:26:55 GMT

Michel can you please post the following commands output also ?

traceroute 172.29.0.14 use-icmp

and

traceroute 172.29.0.14

Re: ASA doesn't route the packet

michelerossi — Fri, 14 Dec 2007 16:19:11 GMT

the traceroute is to 172.29.0.254 ( IP Lan of the Remote Router ).

The 172.29.0.14 is switchoff.

Re: ASA doesn't route the packet

lukasdrbo — Thu, 20 Dec 2007 17:35:21 GMT

hi michele,

i have same problem as you, do you have solution for it please ?

thx

lukas

Re: ASA doesn't route the packet

fbroussey — Tue, 18 Mar 2008 11:20:17 GMT

hi everybody,

I experienced the same issue. My network diagram is similar. Do you find a solution to that problem?

Thanks a lot for your help.

Re: ASA doesn't route the packet

michelcaissie — Tue, 18 Mar 2008 15:26:11 GMT

Here, we must understand that the routing capabilities of a ASA is limited compared to a router. Initially a PIX would not allowed a packet to leave an interface on the same

interface that they came in. This was improved by adding the "same-security-traffic permit intra-interface" command, wich i assume you are using. But this does not resolve everything,

because the ASA does not reroute the packet the way a router would , it creates a connection the same way it would if the packet leave the outside interface.Your problem is that

the returning packet doesn't get back to the ASA.

Let see with an example;

(I assume that the PC on the inside have the ASA as the default gateway)

172.31.0.100 make a tcp connection on 172.29.0.100. The SYN hits the ASA wich opens a connection , then route the packet to the MPLS router at 172.31.0.254.

But the returning SYN packet goes directly to the PC 172.31.0.100 because it is Directly Connected to the router. Then the PC sends the ACK to the ASA ( the default gateway)

but it is refused because the ASA never saw the returning SYN . So your TCP connection dies here.

The problem does not occur with icmp because there is no three way handshake and it doesn't matter if the replies doesn't pass through the ASA.

One solution could be to create a sub-interface on the inside interface, configure it on a /22 subnet , put the MPLS router in this subnet and create a static route in the MPLS router for your

inside network. This way it would force all returning traffic to go through the ASA.

Posts in this discussion have

rosaho — Mon, 13 Jul 2015 20:11:50 GMT

Posts in this discussion have been modified to comply to the CSC terms of use.