Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
5
Helpful
2
Replies

ASA 5506-Intra-interface traffic with 2 subnets

Go to solution
Ben F
Level 1
Level 1

‎01-23-2018 07:00 AM - edited ‎02-21-2020 07:11 AM

Scenario: A customer has an existing LAN 192.168.100.0/24 with a gateway of .1 on the ASA. They have a new phone system that uses 172.16.2.0/24. The phone system has its own switch for the phones as well as a router. External phone traffic has to traverse the 192.168.100.0 subnet due to equipment and cabling limitations. Routes are configured on both the router and the ASA. Phone calls are working. The last issue is that the customer wants to be able to use a web interface to manage some phone features. Testing this is done from a server at 192.168.100.155, trying to reach 172.16.2.254 (port 8080 and 8443). Same-security permit intra-interface is enabled and pings are successful between the devices. However, when attempting to browse to 172.16.2.254:8080 (or 8443), the page just times out. Is some kind of NAT statement needed? I've tried a few combinations of NAT and even a NAT exclusion, but to no avail. As a note, if I add a static route on the server (100.155), I can successfully browse to 172.16.2.254:8080. This makes me think NAT is not the issue. I have attached a network map.

Labels:
Preview file
177 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-23-2018 09:02 AM

Hi Ben,

 

I presume that the ASA 192.168.100.1 is the default gateway for 192.168.100.55. In that case you will also need to do a tcp bypass for the traffic. Here is a link that explains the process:

https://supportforums.cisco.com/t5/security-documents/hairpin-u-turn-traffic-off-an-interface-on-an-asa-running-8-3-or/ta-p/3129668

 

In your case there is a second workaround available, you could use the router 192.168.100.10 as default gateway. By default the router does not have a problem sending the packets out the same interface they came in and also should send icmp redirect messages to the host.

 

HTH

Bogdan

View solution in original post

2 Replies 2

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-23-2018 09:02 AM

Hi Ben,

 

I presume that the ASA 192.168.100.1 is the default gateway for 192.168.100.55. In that case you will also need to do a tcp bypass for the traffic. Here is a link that explains the process:

https://supportforums.cisco.com/t5/security-documents/hairpin-u-turn-traffic-off-an-interface-on-an-asa-running-8-3-or/ta-p/3129668

 

In your case there is a second workaround available, you could use the router 192.168.100.10 as default gateway. By default the router does not have a problem sending the packets out the same interface they came in and also should send icmp redirect messages to the host.

 

HTH

Bogdan

Go to solution
Ben F
Level 1
Level 1
In response to Bogdan Nita

‎01-23-2018 11:40 AM

Perfect! I followed the guide you attached and things are now working. Thank you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card