Hello Elena,

Please read my answer and description about your issue in following link.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc28b9a

Regards

Thanks,

We actually don't use nat and have no nat controll so I think I found solution by "same-security traffic permit" command and reviewing the access list for that interface.

Anna

hi hussycisco

im having a similar issue where i get the error "Flow is a loopback" although i have applied same-security-traffic permit intra-interface command.

here are the no nat statements:

nat (inside) 0 access-list no-nat

access-list no-nat line 11 extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat line 12 extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

here is the static route:

S 192.168.1.0 255.255.255.0 [1/0] via 172.16.1.1, inside (172.16.1.1 is ip of the ISA servers outside interface)

please find attached the network diagram.

Regards

Hello Suleiman,

I am assuming you get this "flow is a loopback" error when you try to reach webserver from 192.168.1.97 or vice versa. This issue is the same with the one I described in above link. Thats why you shouldnt use exempt nat, assuming that your webserver's gateway is ASA. Please post your entire NAT and global statemens in firewall then let me advise accordingly.

But for security best practises, I highly recommend you to move webserver to another interface of ASA like DMZ, if you dont have a physical interface for achieving this, create a virtual sub-interface.

Regards

hi husayn

yes it is when i try to access webserver from my pc (192.168.1.97). As per diagram the 192.168 network is behind the ASA and the 172.16. in the perimeter between ASA and ISA. the default gateway for weberservers is inside interface of ASA 172.16.1.254 but for traffic to pass between webservers and 192.168 N/W there is a static route on webservers as follows:

192.168.1.0 255.255.255.0 via 172.16.1.1 (ISA server outside interface) which works as present but i want to move away from this.

here are the nat statements and global

global (outside) 1 81.144.x.x netmask 255.255.255.240

nat (inside) 0 access-list no-nat

nat (inside) 1 172.16.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

S 0.0.0.0 0.0.0.0 [1/0] via 81.144.x.x, outside

S 192.168.1.0 255.255.255.0 [1/0] via 172.16.1.1, inside

THanks

Suleiman,

What is the model of your ASA?

Do you have a free available physical interface and adequate license to run it?

Does your license support virtual interfaces?

Is there a switch connecting webserver+ASA inside interface and ISA?

Are there any other clients in between ASA and ISA other than webserver?

husayn,

its an ASA5510

no free interfaces available and no support for virtual interfaces

yes there is a switch (3com)

No otther clients between asa and ISA.

What are you sugesting i should do? please bear in mind that we cant move from the physical set up.

Regards

Suleiman,

The simplest solution would be the following

In command prompt of Webserver, enter the following command

route add -p 192.168.1.0 mask 255.255.255.0 172.16.1.1

By above command, Webserver will still be protected from outside (internet) by ASA, but traffic wont pass through ASA when traffic is between inside network and Webserver. Thus, ISA will be responsible about the security between Webserver and inside network, not ASA. So I suggest creating an ACL in ISA blocking any traffic initiated by Webserver, but letting the return traffic of 192.168.1.0/24 network pass statefully.

I think there is an alternative scruffy workaround which lets ASA play in, but I suggest the one above, cleaner.

Regards

husayn

thanks.

thats what ive already got in place at the moment, hence wanting to move away from that. Am i right in saying that if there were a router between ASA and ISA this would be possible?

Regards

Suleiman,

As I previously mentioned, it is possible, but a scruffy workaround, I dont think that takes place in documentations. Here is what you have to do.

no access-list no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 host 172.16.1.136

no access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list PNat permit ip host 172.16.1.136 192.168.1.0 255.255.255.0

static (inside,inside) 172.16.1.140 access-list PNat

Now inside hosts can connect webserver at 172.16.1.140 ip address. If a host record exists in DNS server for webserver, change its IP address from 172.16.1.136 to 172.16.1.140

Dont forget to remove the route you manually entered in webserver