Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2604
Views
0
Helpful
8
Replies

Cisco IOS Router VS Cisco ASA Firewall

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎12-02-2010 09:31 PM - edited ‎03-11-2019 12:17 PM

Hi There

Lately, I was asked to troubleshoot an issue. The network setup is I have Linux workstation that's connected to the INSIDE interface of the Firewall and a Windows workstation that's connected to the OUTSIDE interface of the Firewall. For some reason, the Linux workstation cannot ping the Windows XP workstation but if I were to replace the Firewall with a Cisco Router, everything works fine.

Linux CentOS workstation

10.10.10.10 /24 (No Default Gateway is defined or static routing defined)

Cisco ASA Firewall

INSIDE : 10.10.10.1/24

OUTSIDE : 20.20.20.1/24

Note : The Firewall is doing Dynamic NAT from source network address 10.10.10.0/24 --> 20.20.20.1, as shown below;

          access-list inside and outside is permit ip any any

global (outside) 1 interface

nat (inside) 0.0.0.0 0.0.0.0

Windows XP workstation

20.20.20.20/24

My question here is what is so special about a Router that the Firewall is lacking? Is there any command I need to enable on the Firewall? I tried enabling and disabling sysopt noproxyarp inside and sysopt noproxyarp outside, no difference.

Please kindly assist.

Regards,

Ram

+6-012-2918870

Warm regards,
Ramraj Sivagnanam Sivajanam
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ramraj Sivagnanam Sivajanam

‎12-02-2010 10:39 PM

Seems like the router might have a bug. That should not be the behaviour of L3 device, and ARP request is not to be broadcast out a L3 interface. ARP broadcast should be contained within L2 broadcast domain.

The firewall definitely does not have that behaviour. You would need to have route to access any L3 subnet hops away. Being a firewall, it has correctly prevent the incorrect behaviour to work. So when the firewall is in place, it actually provides the correct behaviour, ie: it wouldn't resolve the ARP if it's not in the same subnet.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-02-2010 09:35 PM

I am assuming that your NAT statement should read:

nat (inside) 1 0.0.0.0 0.0.0.0

(Just double checking to see if you have configured "nat (inside) 0 0.0.0.0 0.0.0.0" or "nat (inside) 1 0.0.0.0 0.0.0.0"

Also, please enable ICMP inspection on the FW.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎12-02-2010 09:36 PM

Also what is the security level assigned to your inside and outside interface of the ASA?

0 Helpful

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to Jennifer Halim

‎12-02-2010 09:40 PM

Hi Jennifer Halim

Yes, I do have the command nat (inside) 1 0.0.0.0 0.0.0.0, sorry for the typo error. The INSIDE and OUTSIDE security level are the default values i.e. 100 and 0 respectively.

For the Firewall console, I can ping the Linux workstation and Windows XP workstation. This is working fine but from the Linux workstation, I cannot PING the Windows XP workstation. Of course, from the Windows XP workstation, I cannot PING the Linux workstation due to the dynamic NAT.

That means, as far as the Windows XP is concern, the the Linux workstation and the Firewall OUTSIDE interface is the same IP Address i.e. 20.20.20.1. With Router, this is working fine, I'm suprised why with a Firewall, it doesn't.

Note: No personal Firewall is installed on any of those workstations.

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ramraj Sivagnanam Sivajanam

‎12-02-2010 09:44 PM

Did you perform "clear xlate" after configuring the NAT statement?

Also please configure the ICMP inspection (assuming that you already have global_policy policy-map applied globally with the service-policy command):

policy-map global_policy
 class inspection_default
     inspect icmp

0 Helpful

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to Jennifer Halim

‎12-02-2010 09:49 PM

Hi Jennifer Halim

Yes, I did perform "clear xlate" after configuring the NAT statement. However, I'll try out the suggestion as shown below

 class inspection_default
     inspect icmp

Just to update, this problem was solved after I added a static route in the Linux workstation to point to 10.10.10.1 for destionation network address 20.20.20.X/24. My question here is when the Linux workstation wants to go to 20.20.20.X/24, without having a static route point to 10.10.10.1, this works fine in a Router but not in a Firewall whereby you need to a static route in the Linux workstation to point to 10.10.10.1 for destionation network address 20.20.20.X/24.

The netstat -rn table in the Linux workstations is

20.20.20.0/24 next hop IP is it self IP Address i.e. 10.10.10.10

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ramraj Sivagnanam Sivajanam

‎12-02-2010 09:52 PM

Well, you definitely need a route on your Linux host to reach the Windows host as they are not in the same subnet.

You either have default gateway configured, or specific route configured if you don't have default gateway to be able to reach a host who is not in the same subnet.

Router or firewall, both of them are L3 device, and you definitely need correct routing on each hop.

0 Helpful

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to Jennifer Halim

‎12-02-2010 10:00 PM

Hi Jennifer Halim

I agree with your explanation, in fact that's the same thing I told my customer, but he proved me wrong by showing it to me practically. He replaced with a Cisco Router, and all is good. Only with the Firewall this doesn't work.

My customer explained to me that when 10.10.10.10 (linux) wants to go to 20.20.20.20, it will send out an ARP broadcast asking who knows how to go to 20.20.20.20. The Router will reply and say that it knows how to go to 20.20.20.20. hence, 10.10.10.10 goes to the Router i.e. 10.10.10.1, gets nat-ted to 20.20.20.1 and talks to 20.20.20.20.

For some reason, the Firewall doesn't accept this behaviour.

That means just because the Linux doesn have a gateway, it uses its' interface to route out all traffic. This is the same concept as in some routers, we can configure ip route 0.0.0.0 0.0.0.0 Serial0.

What do you think of the situation I have so far? Does it make sense or doesn't?

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ramraj Sivagnanam Sivajanam

‎12-02-2010 10:39 PM

Seems like the router might have a bug. That should not be the behaviour of L3 device, and ARP request is not to be broadcast out a L3 interface. ARP broadcast should be contained within L2 broadcast domain.

The firewall definitely does not have that behaviour. You would need to have route to access any L3 subnet hops away. Being a firewall, it has correctly prevent the incorrect behaviour to work. So when the firewall is in place, it actually provides the correct behaviour, ie: it wouldn't resolve the ARP if it's not in the same subnet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card