cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1434
Views
0
Helpful
3
Replies

ASA 5505 Inside static route issue

asteriskal
Level 1
Level 1

Hello,

i have a weird issue,

ASA is setup for nat, has a public IP for outside interface and 10.0.0.0/24 for inside

i tried to put in static route for 10.0.9.0/24 for gateway 10.0.0.12 (inside) , here is how i did it:

new name for network:

name 10.0.9.0 OpenVpn description OpenVpn

nat exempt:

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 OpenVpn 255.255.255.0

inside traffic allowes to any:

access-list inside_access_in extended permit ip any any log disable

static route:

route inside OpenVpn 255.255.255.0 10.0.0.12 1

packet are being dropped in implicit rule:

FW01# packet-tracer input inside tcp 10.0.0.7 1025 10.0.9.7 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   OpenVpn         255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

what am i missing in here?

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I think you will probably need the configuration command "same-security-traffic permit intra-interface" but this wont be your only problem.

You will be running into problems with the routing setup here.

I assume that for the network 10.0.0.0/24 the default gateway router will be the ASA. By itself it doesnt pose any problems for the network 10.0.0.0/24 connections to the Internet through the ASA but you will run into problems with TCP traffic between the 2 networks 10.0.0.0/24 and 10.0.9.0/24

Here is what will happen if for example host in the network 10.0.0.0/24 initiates connection to the network 10.0.9.0/24

  • Host 10.0.0.x starts forming TCP connection with host 10.0.9.x by sending a TCP SYN
  • Host 10.0.0.x sends this to its default gateway ASA since the destination host is in another network
  • TCP SYN arrives on ASA and goes through (after the above suggest configuration is configured)
  • TCP SYN arrives at host 10.0.9.x which replys with TCP SYN, ACK
  • Since the network 10.0.9.0/24 has its own gateway on a router behind ASA that sees both the network 10.0.0.0/24 and network 10.0.9.0/24 the TCP SYN, ACK will be sent directly to the host 10.0.0.x and NOT through the ASA
  • The host 10.0.0.x will finally try to finalize the TCP connection forming with TCP ACK and sends this to the default gateway device ASA
  • ASA sees the TCP ACK, but it hasnt seen the TCP SYN,ACK (which bypassed the ASA because of the internal router) and therefore blocks the TCP ACK and the TCP connection fails.
  • To bypass this operation on the ASA you would have to configure something called TCP State Bypass which essentially disables a central feature of the firewall between these LAN networks.
  • The alternative would be to think the LAN routing setup and connectivity to the ASA again to avoid this asymmetric routing

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I think you will probably need the configuration command "same-security-traffic permit intra-interface" but this wont be your only problem.

You will be running into problems with the routing setup here.

I assume that for the network 10.0.0.0/24 the default gateway router will be the ASA. By itself it doesnt pose any problems for the network 10.0.0.0/24 connections to the Internet through the ASA but you will run into problems with TCP traffic between the 2 networks 10.0.0.0/24 and 10.0.9.0/24

Here is what will happen if for example host in the network 10.0.0.0/24 initiates connection to the network 10.0.9.0/24

  • Host 10.0.0.x starts forming TCP connection with host 10.0.9.x by sending a TCP SYN
  • Host 10.0.0.x sends this to its default gateway ASA since the destination host is in another network
  • TCP SYN arrives on ASA and goes through (after the above suggest configuration is configured)
  • TCP SYN arrives at host 10.0.9.x which replys with TCP SYN, ACK
  • Since the network 10.0.9.0/24 has its own gateway on a router behind ASA that sees both the network 10.0.0.0/24 and network 10.0.9.0/24 the TCP SYN, ACK will be sent directly to the host 10.0.0.x and NOT through the ASA
  • The host 10.0.0.x will finally try to finalize the TCP connection forming with TCP ACK and sends this to the default gateway device ASA
  • ASA sees the TCP ACK, but it hasnt seen the TCP SYN,ACK (which bypassed the ASA because of the internal router) and therefore blocks the TCP ACK and the TCP connection fails.
  • To bypass this operation on the ASA you would have to configure something called TCP State Bypass which essentially disables a central feature of the firewall between these LAN networks.
  • The alternative would be to think the LAN routing setup and connectivity to the ASA again to avoid this asymmetric routing

- Jouni

you are absolutely correct,

we do have asymetric route here and looks like asa does not like it,

I rather to add a vlan and not mess with statefull firewall, and route everything through there,

one side question,

looks like ping (icmp) is turned off by default on asa, even from inside network i cant ping any host on internet.

is this normal? can it be on?

Hi,

Yes the ICMP messages in a default setup are usually allowed from the LAN to the WAN but the Echo Reply get blocked on the way back.

To correct that issue you will have to either enable ICMP Inspection or allow certain ICMP messages through the WAN interface ACL

You can enable ICMP Inspection with the following commands

fixup protocol icmp

fixup protocol icmp error

The same can be done by going under the "policy-map" configurations and adding

inspect icmp

inspect icmp error

- Jouni

Review Cisco Networking for a $25 gift card