08-21-2012 01:22 PM - edited 03-11-2019 04:44 PM
Hi I have two control point, two firewall
the second one is linked inside one DMZ from the first firewall
route is good and inside the DMZ from first firewall I have servers too
so to be more clear we could call as IP for the DMZ from first firewall, Interface IP 1.1.1.1 that generate this DMZ with first firewall (netmask 255.255.0.0)
inside the DMZ I have an interface from second firewall with IP 1.1.1.5 and inside DMZ 1.1/16 I have servers too
keep one test server with IP 1.1.1.3
The LAN passing the second firewall is 2.2.2.1 ever 16 bits of netmask (255.255.0.0)
inside the DMZ generated from second firewall I have a machine with IP 2.2.2.9 that need to access in TCP services on machine 1.1.1.3
running the test I have this scenario:
TCP packets from 2.2.2.9 pass the second firewall and arrive inside DMZ with net 1.1/16 and arrive to server with IP 1.1.1.3
defaul gateway (to answer to originating machine with IP 2.2.2.9) is 1.1.1.1
ASA interface 1.1.1.1 claim a missing related as it haven't mapped the connection that has passed on first firewall. I need only that 1.1.1.1 route packets to second firewall (who own net 2.2/16) avoiding to be trappen in missing related check
at start it was working! around 1 year ago we upgraded IOS to 8.4 and ever so late (one year) doing maintenance to a machine I discovered it was no longer talking with these server on net 1.1/16
I have found on cisco docs chapter 51 and TCP State Bypass ............ is this the only answer and the right answer?
before was working, is something that has changed inside ASA IOS 8.4 ?
HTML version of TCP State Bypass I found that should, could solve my issue is:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
Any other info or solutions? is that what I have to configure so to solve? and before was working why no more?
thanks
08-28-2012 05:52 AM
Alberto, the easier thing would be to add a static route to server 10.2.2.10 defining 10.3.0.0/16 as being via 10.2.2.100 (ie: start -> run -> cmd -> route add 10.3.0.0 mask 255.255.0.0 10.2.2.100). A better solution would be to make the network between the 2 firewalls to be a point to point link with no devices on that subnet. This depends on having enough interfaces or using sub-interfaces. You should try and avoid static bypass if possible. Matthew
08-28-2012 12:06 PM
Hello All,
Another option not the easy one is to use the proxy arp feature and the ASA.
As you know this is a routing problem so what you could do is to NAT the 10.2/16 to a phantom subnet that the internal ASA does not know how to get to so he will always need to send the traffic to the primary ASA This will also solve the routing problem.. Of course now the hosts at 10.1/16 will need to talk to the phantom subnet insted of the 10.2
Remember to rate all the helpful posts
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide