01-23-2011 08:23 PM - edited 03-11-2019 12:39 PM
Hello All
We have an ASA5550 as a nat server, it works fine, but some internet sites do not work.
For example, we want to connect to site A, which ip is x.x.x.x (on internet)
Because of some reasons, we need to route it to another router(ip: y.y.y.y) in inside network.
The config for this acl has set a static route for inside networks:
> route inside x.x.x.x 255.255.255.255 y.y.y.y
ping is fine, and traceroute shows the route is correctly routed to y.y.y.y
But while we use wget to obtain the homepage of x.x.x.x, it hangs and responds nothing.
Is there any reason to meet this criteria?
Thanks a lot
stephon
Solved! Go to Solution.
01-23-2011 08:46 PM
The configuration on the ASA looks correct.
However one thing that i could think off why it's working for ping but not TCP connection is because of asymetric routing.
Assuming that the host where you are trying to connect from is in 10.1.1.0/24 subnet, with the default gateway set to the ASA inside interface 10.1.1.251.
If that is a correct assumption, traffic will flow like this:
1) TCP SYN packet will go from the host --> ASA inside interface --> route towards your internal router --> internet host x.x.x.x
2) TCP SYN-ACK packet will go from the internet host x.x.x.x --> internal router --> and since internal router is in the same subnet as the ASA inside interface as well as the host itself, it will be routed directly to the host (instead of towards the ASA inside interface first then to the host).
3) TCP ACK packet will go from the host --> ASA inside interface --> at this stage, since the ASA did not see the SYN-ACK packet, it drops the connection because of TCP asymetric routing.
The best way to quickly test is to configure a specific route on the host "hosts" file to route traffic towards x.x.x.x to the internal router instead of the ASA inside interface (via its default gateway), and this should work.
The reason why it's failing when your default route is the ASA is because ASA is a stateful firewall, and it keeps track of the connection.
01-23-2011 08:46 PM
The configuration on the ASA looks correct.
However one thing that i could think off why it's working for ping but not TCP connection is because of asymetric routing.
Assuming that the host where you are trying to connect from is in 10.1.1.0/24 subnet, with the default gateway set to the ASA inside interface 10.1.1.251.
If that is a correct assumption, traffic will flow like this:
1) TCP SYN packet will go from the host --> ASA inside interface --> route towards your internal router --> internet host x.x.x.x
2) TCP SYN-ACK packet will go from the internet host x.x.x.x --> internal router --> and since internal router is in the same subnet as the ASA inside interface as well as the host itself, it will be routed directly to the host (instead of towards the ASA inside interface first then to the host).
3) TCP ACK packet will go from the host --> ASA inside interface --> at this stage, since the ASA did not see the SYN-ACK packet, it drops the connection because of TCP asymetric routing.
The best way to quickly test is to configure a specific route on the host "hosts" file to route traffic towards x.x.x.x to the internal router instead of the ASA inside interface (via its default gateway), and this should work.
The reason why it's failing when your default route is the ASA is because ASA is a stateful firewall, and it keeps track of the connection.
01-23-2011 11:00 PM
Hello all
We have fixed it by using state-bypass-map.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide