02-25-2011 12:05 PM - edited 03-11-2019 12:56 PM
I have a setup on a client site very similiar to the attached diagram.
There is a route on the ASA to get to a remote site the other side of the router over MPLS cloud pointing to router.
You can ping to the remote site but cannot http to a device at the remote site.
If I change the gateway of the client PC to the router everything works fine but this is not an option.
My question is is this possible or are they trying to make something work that will not because going through ASA?
same-security-traffic permit intra-interface command is configured
I found this info on another post: https://supportforums.cisco.com/thread/2009692?referring_site=kapi
Unfortunately ASA firewall is a security device, and a stateful firewall, hence it is keeping track of the connection table, and incomplete TCP connection is deem to be not secure (possibly an attack), unlike a router which is a routing device, so it doesn't keep track of the connection table but just route traffic.
Ping will definitely work, and UDP traffic will work to as they are connectionless. The only traffic that won't work is TCP traffic.
How can I get a client TCP connection to go into the ASA and back out the same interface and then over the router to remote site?
Is my only option to configure another interface on firewall so traffic goes in inside and out interface-wan?
The ASA is a 5505
I set an acl on the inside interface to permit this http traffic and it gets hits on it?
Do I need to look at NAT if the ping works?
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
Not sure if this is over configured?
Thanks
Roger
02-25-2011 03:46 PM
Well, you have an option to disable the TCP security feature (enable TCP state bypass) on the ASA to accomodate your requirement. However, as I said in the earlier post you referred to, it really defeats the purpose of having a firewall if you disable it.
However, it is definitely possible, and here is the configuration guide for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
I would suggest that you configure the access-list to be as specific as possible to only cover the traffic that goes in and out of the ASA on that 1 interface, and apply the service-policy on that interface.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide