Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2947
Views
0
Helpful
19
Replies

ASA doesn't route the packet

michelerossi
Level 1
Level 1

‎12-11-2007 08:25 AM - edited ‎03-11-2019 04:42 AM

I have an ASA 5500 and it has a gateway of my Lan.

The asa rotates the packets destined to 2 remote nets toward a router cisco,through a chart of static routes.

The problem is that it only passes the ping toward the remote lan, while all the other protocols and sessions are blocked !!!!

Only ICMP packet are forwarding.

I have capture this message into the ASA log:

" 106015 192.168.10.14 192.168.13.13Deny TCP (no connection) from 192.168.10.14/21438 to 192.168.13.13/1720 flags RST on interface LAN.

Best Regards

Labels:
0 Helpful
19 Replies 19

michelerossi
Level 1
Level 1
In response to Alan Huseyin Kayahan

‎12-14-2007 08:19 AM

the traceroute is to 172.29.0.254 ( IP Lan of the Remote Router ).

The 172.29.0.14 is switchoff.

22056-Traceroute.doc
Preview file
133 KB
0 Helpful

rosaho
Level 3
Level 3
In response to michelerossi

‎07-13-2015 01:11 PM

Posts in this discussion have been modified to comply to the CSC terms of use.

0 Helpful

lukasdrbo
Level 1
Level 1

‎12-20-2007 09:35 AM

hi michele,

i have same problem as you, do you have solution for it please ?

thx

lukas

0 Helpful

fbroussey
Level 1
Level 1
In response to lukasdrbo

‎03-18-2008 04:20 AM

hi everybody,

I experienced the same issue. My network diagram is similar. Do you find a solution to that problem?

Thanks a lot for your help.

0 Helpful

michelcaissie
Level 1
Level 1
In response to fbroussey

‎03-18-2008 08:26 AM

Here, we must understand that the routing capabilities of a ASA is limited compared to a router. Initially a PIX would not allowed a packet to leave an interface on the same

interface that they came in. This was improved by adding the "same-security-traffic permit intra-interface" command, wich i assume you are using. But this does not resolve everything,

because the ASA does not reroute the packet the way a router would , it creates a connection the same way it would if the packet leave the outside interface.Your problem is that

the returning packet doesn't get back to the ASA.

Let see with an example;

(I assume that the PC on the inside have the ASA as the default gateway)

172.31.0.100 make a tcp connection on 172.29.0.100. The SYN hits the ASA wich opens a connection , then route the packet to the MPLS router at 172.31.0.254.

But the returning SYN packet goes directly to the PC 172.31.0.100 because it is Directly Connected to the router. Then the PC sends the ACK to the ASA ( the default gateway)

but it is refused because the ASA never saw the returning SYN . So your TCP connection dies here.

The problem does not occur with icmp because there is no three way handshake and it doesn't matter if the replies doesn't pass through the ASA.

One solution could be to create a sub-interface on the inside interface, configure it on a /22 subnet , put the MPLS router in this subnet and create a static route in the MPLS router for your

inside network. This way it would force all returning traffic to go through the ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top