Solved: ASA 5505 Intranet connection problem

hugochengym · ‎06-24-2011

PCs are using ASA inside interface (10.65.0.231) as their default gateways and are able to access the Internet via the outside interface (x.x.x.50) without any problems. Here is the challenge I am having : I need to route a particular network to a router @ 10.65.0.210 (that is on the same subnet as my inside interface) so I have added the static route "route inside 10.64.x.x 255.255.0.0 10.65.0.210 1". I am able to ping 10.64.x.x address on the 10.65.0.0 network but i am not able to use any applications from a PC using 10.65.0.231 as it's default gateway such as Remote Desktop Connect, Web Service, etc. Any ideas? Could the issue have something to do with the ASA not allowing traffic to be routed out the same interface it came in.

Jennifer Halim · ‎06-24-2011

ASA keeps track of the connection, so if you are using TCP which consists of TCP 3 way handshake, the ASA needs to see all the packets, otherwise, it will drop the connection because it thinks that it's an attack.

So if you are routing the traffic in and out of the interface, and since the router is in the same subnet as the ASA, then the traffic will go like this:

SYN: from 10.65.x.x --> ASA --> Router --> 10.64.x.x

SYN-ACK: 10.64.x.x --> Router --> then directly to 10.65.x.x since they are in the same subnet.

ACK: 10.65.x.x --> ASA, at this point, the ASA will drop the connection because the ASA never saw the SYN-ACK

You can disable the checking of TCP state on the ASA, however, that defeats the purpose of having a firewall if you are going to disable the TCP state check.

If you do decide to disable TCP state, then I would suggest that you do it specifically only for traffic between 10.64.x.x and 10.65.x.x.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

The reason why ping works is because ping is stateless connection, just like UDP.

Hope this helps.

View solution in original post

Anu M Chacko · ‎06-24-2011

Hi,

Yes, the ASA does not support packet redirection on an interface. You can use static NAT to do configure U-turing on the same interface:

static (inside, inside) netmask 255.255.255.255

same-security-traffic permit intra interface

Let me know.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.

hugochengym · ‎06-24-2011

Hi

Execuse me sir, i cannot execute the command you suggested

abc(config)# static ?

ERROR: % Unrecognized command

Our currectly NAT script (We are using PPPoE for internet access):

nat (inside,outside) after-auto source dynamic any interface

Hugo

Anu M Chacko · ‎06-24-2011

Hi Hugo,

So you're using ASA 8.3. You need the following:

object network

host

nat (Inside, Inside) static