cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2128
Views
0
Helpful
9
Replies

Does "same-security-traffic permit intra-interface" commad work?

netadminquid
Level 1
Level 1

Hello.

My default gateway is an ASA5505 and I need to route a network trought a router connected on the same interface of the source client.

So the traffic have to enter and exit by the same interface, to do that I use the same-security-traffic permit intra-interface command, but it works only with icmp traffic.

Why? What I have to do to permit all traffic?

My test configuration is the following:

ASA Version 7.2(3)

!

hostname ciscoasa

enable password xxx

names

!

interface Vlan1

nameif INSIDE

security-level 100

ip address 172.20.4.31 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd xxx

ftp mode passive

same-security-traffic permit intra-interface

access-list ACL-INSIDE-IN extended permit ip any any

access-list ACL-INSIDE-OUT extended permit ip any any

pager lines 24

mtu INSIDE 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any INSIDE

no asdm history enable

arp timeout 14400

access-group ACL-INSIDE-IN in interface INSIDE

access-group ACL-INSIDE-OUT out interface INSIDE

route INSIDE 10.132.1.0 255.255.255.0 172.20.4.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp INSIDE

telnet 172.20.4.0 255.255.255.0 INSIDE

telnet timeout 5

ssh timeout 5

console timeout 0

management-access INSIDE

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

username test password xxx encrypted privilege 15

Thanks

1 Accepted Solution

Accepted Solutions

bauer.juergen
Level 1
Level 1

to me it sound like the return traffic is not going the same way back.

client -> fw -> router -> destination

return traffic:

destination -> router -> client

so the state table of the connection might be broken. and icmp is working because its stateless.

just a guess - had a similar routing issue with two asa boxes in parallel setup (no HA).

View solution in original post

9 Replies 9

bauer.juergen
Level 1
Level 1

to me it sound like the return traffic is not going the same way back.

client -> fw -> router -> destination

return traffic:

destination -> router -> client

so the state table of the connection might be broken. and icmp is working because its stateless.

just a guess - had a similar routing issue with two asa boxes in parallel setup (no HA).

Hello

Thank you very much for your answer.

I like your idea, but it raise a dubt in me.

I think, why does everything work fine, if I replace the ASA with a router?

Any idea?

Thank you again.

I would agree with the previous poster. The router that you replace the ASA with would not be keeping a state table to break, just happily route away. The ASA however, on not seeing a SYNACK return through it for the SYN it has already seen, will deny the TCP connection.

kagodfrey is right, there is no state table on an (ip base) router - maybe you would have the same issue with an fw ios on the router.

maybe you can reconfigure your routing: default gateway for all clients is the internal router, the internal router uses the asa as the default gw...

hope that helps,

regards,

juergen

Yes it's right, I verified it monitoring the ASA interface with a protocol analyzer, frames from the PC get to the ASA and then from the ASA go to the router but nothing come back trought the ASA.

We can solve the problem working on the router, adding a static route that routes the router's local network trought the ASA.

That works but I don't think it's a good thing.

Thank you to all

"We can solve the problem working on the router, adding a static route that routes the router's local network trought the ASA."#

wont work - that network is locally connected and so it already has a route to it - if you add a static route this one wont make it into the routing table because static routes have an administrative distance of 1 while locally connected network routes have an AD of 0.

changing the default gateway on all hosts is imho the best solution and your more flexible with a router as default gateway.

of course it can be a lot of work :-(

regards,

Juergen

Yes, you are right.

In fact, I tried adding a static route only for my testing host, so the added route is a strictly match and it works, but you can't do the same with the entire network.

Regards

Please confirm the network you are routing to.

You should be able to route a network from the firewall to the router both on the internal (inside) interface of the ASA.

Looking at the config the network in question is 10.132.10/24. Is this correct.

If so kindly show the router config (4.30)

Tim

Yes the network is correct.

We are talking about a test enviroment, so the router has 2 ethernet interfaces configured respectively 172.20.4.30 and 10.132.1.30 and nothing else.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: