11-21-2013 08:04 PM - edited 03-11-2019 08:08 PM
We're trying to decipher/improve a network infrastructure which we've inherited from a previous admin who could best be described as "keen, but with a complete disregard for documentation"
Whilst this is ongoing, we need to permit remote access for an external third party. External connections come in via a low-end Netgear firewall, to the server needing accessed and then out again via an ASA. Clearly this is assymetric routing, which I've got a handle on when it comes to ASAs in a group/failover setup, but the traffic is coming from a non-ASA.
We know this is possible because that's exactly how we are accessing these servers ourselves, so our IP address has been set up to do this properly. We can see the "built outbound TP connection" entry for our remote IP address when we connect, but when we connect from another remote IP address we see the "Deny TCP (no connection)" entries.
Our external IP address seems to have been explicitly permitted to go this assymetric route, but so far we've not been able to find out where. How do we go about adding other addresses to this capability?
Thanks in advance.
Solved! Go to Solution.
11-24-2013 07:37 PM
This site needs a "face palm" smiley. I've been over-thinking it. The previous guy had taken the quick and dirty fix of adding a persistent route to each of the internal servers so that if accessed from permitted external addresses the default gateway was the SOHO firewall. It's all working fine now that I've added in the new addresses on the server. Now we just need to work out how to tidy the infrastructure up and do it properly.
11-21-2013 08:33 PM
TCP bypass would be an option but I need to understand how the network is routed and actually how you are expecting the ASA to route back.
Value our effort and rate the assistance!
11-24-2013 06:58 PM
Hopefully this quick and nasty diagram will help
The external address being connected to points to the SOHO firewall and NAT points it to the server. The server's default gateway is the ASA. When we connect from our office the traffic is allowed through. When we connect from any other site/address the traffic is blocked at the ASA with "Deny TCP (no connection)" log entries. Our office IP address has been added somewhere in the ASA config to permit the traffic to pass, but I cannot for the life of me find it.
The simple fix would be to reassign the SOHO firewall as the default gateway for the server, but there are other reasons for not doing that (partly that it will be removed as part of an infrastructure reorg). The longer term aim is to have all traffic going via the ASA, but for the moment we just need to get this issue fixed.
11-24-2013 07:37 PM
This site needs a "face palm" smiley. I've been over-thinking it. The previous guy had taken the quick and dirty fix of adding a persistent route to each of the internal servers so that if accessed from permitted external addresses the default gateway was the SOHO firewall. It's all working fine now that I've added in the new addresses on the server. Now we just need to work out how to tidy the infrastructure up and do it properly.
11-24-2013 08:23 PM
Hey, great to see that you got things up and working, I also want to apologize for not getting back to you but my weekend started this Friday and had personal agenda setup. Hopefully if you need further assistance you can still think of the forum as a helping hand.
Value our effort and rate the assistance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide