07-28-2008 05:43 PM - edited 03-11-2019 06:21 AM
I have two networks behind my ASA 5505 inside interface -- 192.168.1.0/24 is directly connected, but 192.168.200.0/24 is connected via router. I added a route to 192.168.200.0/24 in the ASA, and I can browse web sites and initiate PPTP sessions to an internet-connected PPTP server.
But if I try to get from 192.168.200.0/24 to 192.168.1.0/24, my outbound packets get to 192.168.1.0/24 (I did a packet capture), but my replies from 192.168.1.0/24 to 192.168.200.0/24 never get there and the ASA logs "regular translation creation failed for icmp src inside:192.168.1.x dst inside:192.168.200.1".
I've tried a NAT exemption, but all that does is change the error to "no translation group found".
Is there any way to allow the ASA to route packets off its internal interface without translation?
07-28-2008 06:11 PM
Add the command 'same-security-traffic permit intra-interface' to route traffic in and out of the same interface.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
HTH
Sundar
07-29-2008 07:44 AM
I already have that command enabled.
07-29-2008 05:02 PM
Hello. This sounds like a common problem that I see. It sounds like the router you are mentioning has an interface on the 192.168.1.0/24 network, correct? Also, you have a route in the ASA to the 192.168.200.0/24 network through the IP address of the router that is on the 192.168.1.0/24 network. It sounds like the traffic from the 200.x net is getting to the router, the router has a directly connected interface to 1.x and sends the traffic out on the wire. The 1.x host then tries to respond, but doesn't have it's own route to the 200.x net so it send it to its default gateway (the ASA on the 1.x) net. The problem is, the ASA will not support ICMP redirect. ICMP redirect is what allows a host to 're-learn' the route to a subnet through another path. If the ASA were a router in this instance, it would send a 'redirect' to the 1.x host telling it that the 200.x host was actually reachable through the router and not the ASA. All subsequent traffic would go through the router. Since the ASA does not support this (security reasons), the host can't actually reach the 200.x subnet. The best way to fix this is to put a default route on the router that points to the ASA (Internet hosts, etc...) and point your 1.x hosts to the router as their default gateway. All Internet traffic will be ICMP redirected to the ASA and all 200.x traffic will go to the appropriate interface of the router. Anyway, if you have any other questions, please ask.
Thank you,
Jeff
07-30-2008 05:38 AM
I thought about that, as well as the idea of just adding a static route to the 192.168.200.0/24 network on the 3-4 hosts affected (very small network).
The former solution, making the inside router the default router, unfortunately won't work. I lied to simplify the situation -- the 192.168.200.0/24 network is actually assigned to PPTP clients from another firewall, and the route to .200 is actually via this other firewall. Since this firewall is *also* connected to the internet, making it the default router effectively eliminates the ASA (also a solution itself, but not one I want).
I think there may be some other NAT issue. Attached is the packet-trace output.
07-30-2008 09:22 AM
I looked into this some more. It looks like I was wrong and the ASA/PIX will allow this traffic after 7.2x something. Anyway, sorry about that. Just been stuck in how it 'used' to work. How did you do your NAT exemption?
Thanks,
Jeff
07-31-2008 05:12 AM
Have you tried to set the NAT acl like this :
global (inside) 1 interface
nat (inside) 1 access-list nat_for_internal_net
access-list nat_for_internal_net extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
route inside 192.168.200.0 255.255.255.0 192.168.1.x 1
where x is the IP of the router on this subnet
Be carefull to use an unused number for the global NAT... I wrote 1 but it's only an example.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide