Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
6
Replies

ASA as packet redirector

dmitriiovdp
Level 1
Level 1

‎05-02-2006 06:48 PM - edited ‎02-21-2020 12:52 AM

Hello! (Excuse for my English :)

We have a problem of realization of this scheme

LAN1(172.16.2.0/24)---

|

L3 Switch(192.168.1.2/24)---Packeteer---(192.168.1.1/24)ASA5540(PAT)---Internet

|

LAN2(172.16.3.0/24)---

ASA5540 SW ver 7.0(4).

Packeteer it`s aplication analyser, NetFlow generator. Work as bridge.

ASA has static routing:

route outside 0.0.0.0 0.0.0.0 y.y.y.y 1

route inside 172.16.0.0 255.255.0.0 192.168.1.2 10

Users from LAN1 and LAN2 have access and can PING to Internet successfully.

Ping from ASA to LAN1 is successfully.

Ping from ASA to LAN2 is successfully.

Ping from LAN2 to LAN1 is unreachable.

106014: Deny inbound icmp src inside:172.16.3.2 dst inside:172.16.2.2 (type 8, code 0)

It is necessary for us, what a ASA would be redirecting packages from one network in another, because packages should pass necessarily through a Packeteer

Whether it is possible to solve this problem?

0 Helpful
6 Replies 6

Fernando_Meza
Level 7
Level 7

‎05-02-2006 07:43 PM

You might need to allow this traffic by using an access-list applied to the internal interface

access-list INSIDE_IN permit any any

access-group INSIDE_IN in interface inside

I hope it helps .. please rate it if it does !!!

0 Helpful

dmitriiovdp
Level 1
Level 1
In response to Fernando_Meza

‎05-02-2006 10:38 PM

access-list outside_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

not work :(

106014: Deny inbound icmp src inside:172.16.2.2 dst inside:172.16.3.2 (type 8, code 0)

0 Helpful

aduerr
Level 1
Level 1
In response to dmitriiovdp

‎05-03-2006 01:47 AM

access-list inside_access_in line 2 extended permit icmp any any => allowing icmp traffic from inside

Regards,

Arne

0 Helpful

dmitriiovdp
Level 1
Level 1
In response to aduerr

‎05-03-2006 09:22 PM

no :( not work.

i think what ASA can not forward packet from inside to inside

0 Helpful

aduerr
Level 1
Level 1
In response to dmitriiovdp

‎05-03-2006 11:18 PM

Oh, sorry. Was too quick with my answer.

Yes, indeed ASA and also PIX do no route U-turn/hair pinning if that`s what you intended. It is not designed to do that. You need a router.

Regards,

Arne

0 Helpful

GRAEME DANIELSON
Level 1
Level 1
In response to aduerr

‎05-04-2006 01:55 AM

I think you need the "intra-interface" parameter of the "same-security-traffic permit" command to allow traffic in and back out the same interface.

Just curious what you've done on the L3Switch to force traffic up to the ASA to stop the two LAN interfaces on L3Switch routing traffic directly between themselves. Did you use PBR?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card