Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1344
Views
0
Helpful
2
Replies

ASA 5520 Intra-interface routing

marshallqqqq
Level 1
Level 1

‎08-18-2010 01:03 AM - edited ‎03-11-2019 11:27 AM

Hello,

I am kinda new to firewalls and what i'm trying to do is the following:

Old situation:

One subnet for everything, ASA 5520 INSIDE 192.168.0.241  > 3560 192.168.0.240 > Several 2950 on 192.168.0.x

New situation:

ASA 5520 INSIDE 192.168.0.241 >>> 3560 192.168.-0.240/2.1/5.1 (IP ROUTING enabled) >TRUNK> 2950 with 192.168.5.10 and a client with 192.168.2.100

So:

-ASA 5520 > 3560 > Several 2950 (some in different subnets)

-I added subnets 192.168.2.x and .5.x (vlan 2/5, with ip's of .1) to the 3560 which is trunked with a 2950 that runs those 2 subnets.

-Everything in the 192.168.0.x subnet has as default gateway the ASA Inside interface (0.241).

-The new 2950 / Client have as default gateway the 3560 (5.1 and client 2.1).

-3560 has a ip route 0.0.0.0 0.0.0.0 192.168.0.241

-ASA has ip routes to 192.168.2.0 > 192.168.0.240 and 192.168.5.0 > 192.168.0.240 (which is the ip of the 3560).

I can access the internet fine (added PAT) but i cannot ping from a host in the 0.x to the 2.x etc. From the 2.100 client i can only ping the 3560 / ASA / internet but not a single other 0.x adress on the network.

Now someone told me that i cannot route traffic back on the same interface as it goes out on, but i don't think this is true. He suggested i changed all my default gateways to the 3560 IP address and yes this will probably solve it and might be the best solution, but i got curious now.

-I got a inside acl that says from any source to any less secured network, can anyone tell me that if i put this to any any if this will solve my problems?

-Even if this works, should i still consider changing all my default gateways to the 3560 instead of the firewall?

-Or should i consider doing the inter-vlan routing on the firewall instead of the 3560?

I hope it's a bit clear and if not please let me know.

Thanks,

Ralph

Labels:
0 Helpful
2 Replies 2

praprama
Cisco Employee
Cisco Employee

‎08-18-2010 01:25 AM

Hi,

> Now someone told me that i cannot route traffic back on the same  interface as it goes out on

Whoever told you that is true in a sense because that is indeed the default behvior of the ASA. In order to allow that, you will need the command:

same-security-interface permit intra-interface

Also, since you have an access-list on the ASA's interface, you will also need to allow traffic from the 0.x to 2.x subnet explicitly.

Now, if we look at the packet flow when a host say 0.10 tries to ping 2.100, this first goes to the ASA, then to the 3560 and 2950 and then finally to 2.100 host. When this host sends the reply, this packet is going to go to the 2950, the 3560 and then to the 0.10 host directly and does not go the ASA. Hence, the ASA sees only one direction of traffic and not both (Asymmetric Routing). Assuming we don't have "inspect icmp", then because of this, we will be able to ping successfully but none of the TCP connections will work fine because of 2 reasons:

1) ASA randomizes sequence numbers.

2) ASA does a statefulness check for every TCP packet.

We need to disable to above two features as well on the ASA for this particular flow. Prior to 8.2, this is done using a static command as below:

static(in,in) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandomseq nailed

failover timeout -1

From 8.2 onwards, we will need to do this using MPF. the two actions we will need are

set connection advanced options tcp-state-bypass; and

set connection random-sequence-number disable

The below 2 links will give you more information about the above 2 commands:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

Let me know if this helps. All the best!!

Thanks and Regards,

Prapanch

0 Helpful

marshallqqqq
Level 1
Level 1
In response to praprama

‎08-18-2010 01:30 AM

Thanks for the fast reply Prapanch, i will try it out asap and post a status update after it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card