ASA and UC540 side-by-side traffic issue (ASA router on a stick)

cmonks · ‎03-18-2013

I'm trying to setup an ASA and a UC540 side by side, to utilize the ASA for data networking and the UC540 for voice. This 'should' work fine, I just seem to be having an issue where the ASA seems to be blocking traffic from the voice network as it passes through.

So here is the LAN setup:
ASA: 1.1.1.1
UC540: 1.1.1.2

The UC has a voice vlan 10.1.1.1/24 and a service module at 10.1.10.1/30

My PC uses the ASA as its default gateway, 1.1.1.1

The ASA then has static routes to the UC networks
Route 10.1.1.1/24 1.1.1.2
Route 10.1.10.1/30 1.1.1.2

Ping from PC to the UC networks works fine. However, ping from the UC networks to PC fails. ASA logs show traffic being denied due to not having an established connection or something.

My guess is that the traffic is being blocked because the egress and ingress paths are different? Traffic from the PC goes to the ASA, then gets routed to the UC and it works. However in the other direction, traffic from the UC is going directly to the PC and bypassing the ASA, because its a directly connected network and doesn't have to route through the ASA to get to the PC. The reply traffic from the PC DOES go through the ASA following its route table, thus the issue of the ASA not seeing the established connection?

Same-security inter and intra interface is enabled.

So I think I see the issue, I just don't know how to fix it. Is there something I can configure on the ASA to allow for this? My only other option would be to configure a /30 on a new vlan to handle the routing between the UC and ASA or something, but that seems like its going to make this simple setup way too complicated with extra networks, vlans, trunks, etc.

I am running ASA version 8.4.5 (I think), so I don't know if the new version or NAT configs have anything to do with it.

Help!

cmonks · ‎03-18-2013

Well I just found a thread with this exact issue, confirming my suspicions. Anyone have any additional thoughts?

Quote:
"Do you have the ASA set as your default gateway? Is your UC560 connected to the same network as your PCs? There are two main issues in this scenario:

1. When you send the SYN to 10.1.10.2, for example, it will first go to the ASA. It will see that it needs to forward it back to the UC560, but by default the ASA doesn't allow traffic to come in an interface and back out the same interface, so it will drop the packet. This can be overcome, but please see #2.

2. If you configure the ASA to allow forwarding of the traffic back out the same interface, it will forward the SYN packet to the UC560. When the UC560 responds with the SYN ACK, it will go directly to the PC since it's a locally connected network. When the PC sends the ACK back, it will go to the ASA. The ASA will inspect that packet (stateful firewall) and see there was a SYN, but because the SYN ACK went directly to the PC, the ASA won't see that and it will only see SYN and ACK without the SYN ACK, so it will drop the packed. This is messy to overcome and not suggested.

There are a few ways to workaround this issue (in order of my preference):

1. Put the UC560 between the ASA and the PCs. It would look something like this: ASA (inside) ---- (WAN) UC560 (Data VLAN) ---- PCs. This can work with a new setup, but can be disruptive for existing setups.

2. Connect the UC560 to a DMZ interface on the ASA. This will put the UC560 on its own network and all traffic from the PCs to the UC560 will go through the ASA. This is less disruptive of an existing setup than #1.

3. Add a static route on your PC pointing to the UC560 for the 10.1.1.0 and 10.1.10.0 networks. This may work for a few PCs, but can be a pain for a lot of PCs.

4. Make the default route point to the UC560 instead of the ASA. This isn't optimal.

I think #1 or #2 are the cleanest options and what I would suggest if possible."