I have a setup on a client site very similiar to the attached diagram.
There is a route on the ASA to get to a remote site the other side of the router over MPLS cloud pointing to router.
You can ping to the remote site but cannot http to a device at the remote site.
If I change the gateway of the client PC to the router everything works fine but this is not an option.
My question is is this possible or are they trying to make something work that will not because going through ASA?
same-security-traffic permit intra-interface command is configured
I found this info on another post: https://supportforums.cisco.com/thread/2009692?referring_site=kapi
Unfortunately ASA firewall is a security device, and a stateful firewall, hence it is keeping track of the connection table, and incomplete TCP connection is deem to be not secure (possibly an attack), unlike a router which is a routing device, so it doesn't keep track of the connection table but just route traffic.
Ping will definitely work, and UDP traffic will work to as they are connectionless. The only traffic that won't work is TCP traffic.
How can I get a client TCP connection to go into the ASA and back out the same interface and then over the router to remote site?
Is my only option to configure another interface on firewall so traffic goes in inside and out interface-wan?
The ASA is a 5505
I set an acl on the inside interface to permit this http traffic and it gets hits on it?
Do I need to look at NAT if the ping works?
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
Not sure if this is over configured?
Thanks
Roger
