05-10-2013 04:31 PM - edited 03-11-2019 06:41 PM
Hello,
i have a weird issue,
ASA is setup for nat, has a public IP for outside interface and 10.0.0.0/24 for inside
i tried to put in static route for 10.0.9.0/24 for gateway 10.0.0.12 (inside) , here is how i did it:
new name for network:
name 10.0.9.0 OpenVpn description OpenVpn
nat exempt:
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 OpenVpn 255.255.255.0
inside traffic allowes to any:
access-list inside_access_in extended permit ip any any log disable
static route:
route inside OpenVpn 255.255.255.0 10.0.0.12 1
packet are being dropped in implicit rule:
FW01# packet-tracer input inside tcp 10.0.0.7 1025 10.0.9.7 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in OpenVpn 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
what am i missing in here?
Solved! Go to Solution.
05-10-2013 04:42 PM
Hi,
I think you will probably need the configuration command "same-security-traffic permit intra-interface" but this wont be your only problem.
You will be running into problems with the routing setup here.
I assume that for the network 10.0.0.0/24 the default gateway router will be the ASA. By itself it doesnt pose any problems for the network 10.0.0.0/24 connections to the Internet through the ASA but you will run into problems with TCP traffic between the 2 networks 10.0.0.0/24 and 10.0.9.0/24
Here is what will happen if for example host in the network 10.0.0.0/24 initiates connection to the network 10.0.9.0/24
- Jouni
05-10-2013 04:42 PM
Hi,
I think you will probably need the configuration command "same-security-traffic permit intra-interface" but this wont be your only problem.
You will be running into problems with the routing setup here.
I assume that for the network 10.0.0.0/24 the default gateway router will be the ASA. By itself it doesnt pose any problems for the network 10.0.0.0/24 connections to the Internet through the ASA but you will run into problems with TCP traffic between the 2 networks 10.0.0.0/24 and 10.0.9.0/24
Here is what will happen if for example host in the network 10.0.0.0/24 initiates connection to the network 10.0.9.0/24
- Jouni
05-10-2013 08:27 PM
you are absolutely correct,
we do have asymetric route here and looks like asa does not like it,
I rather to add a vlan and not mess with statefull firewall, and route everything through there,
one side question,
looks like ping (icmp) is turned off by default on asa, even from inside network i cant ping any host on internet.
is this normal? can it be on?
05-11-2013 01:06 AM
Hi,
Yes the ICMP messages in a default setup are usually allowed from the LAN to the WAN but the Echo Reply get blocked on the way back.
To correct that issue you will have to either enable ICMP Inspection or allow certain ICMP messages through the WAN interface ACL
You can enable ICMP Inspection with the following commands
fixup protocol icmp
fixup protocol icmp error
The same can be done by going under the "policy-map" configurations and adding
inspect icmp
inspect icmp error
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide