cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
597
Views
0
Helpful
4
Replies

Not working traffic inside of the same interface

Hi Guys.

I need your help to configure a Cisco ASA 5510.

Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:

1. The Subnet of the main office (192.168.1.253)

2. A router  (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)

I have so allowed any traffic incoming to the inside interface as follows:

access-list inside_access_in extended permit ip any any

and I have permitted traffic intra interface as follows:

same-security-traffic permit intra-interface

Then I created a static route:

route inside 192.168.8.0 255.255.255.0 EXTERNAL_ROUTER 1


Now I can successfully ping the destination:

Pinging 192.168.8.10 with 32 bytes of data:

Reply from 192.168.8.10: bytes=32 time=135ms TTL=123

Reply from 192.168.8.10: bytes=32 time=146ms TTL=123

Reply from 192.168.8.10: bytes=32 time=143ms TTL=123

Reply from 192.168.8.10: bytes=32 time=188ms TTL=123

Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the conncections from "inside" (firewall) does not allow the connection.

It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.

Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.

Please help :-(

Thanks,

Dario Vanin

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You can either change the default gateway on the PC to be the router ip address: 192.168.1.254 because if it is the ASA inside interface, there will be asymetric routing as your PC is in the same subnet and the ASA will drop the connection.

Alternatively, if you still want to use the ASA as the default gateway, then you would need to configure TCP State Bypass on the ASA for traffic between the remote site and the local LAN, and the ASA will not check for the TCP state. However, that really defeats the purpose of having a firewall in place, and you might as well perform the above first option which is the easiest to implement

View solution in original post

Ahh OK, telco router.

You can quickly test if it's working by configuring the PC with static routes for 192.168.8.0/24 pointing towards the router (192.168.1.254).

Here is sample configuration on TCP State Bypass:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

access-list tcp-bypass-acl permit tcp 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list tcp-bypass-acl permit tcp 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0

class-map tcp-bypass-cm

   match access-list tcp-bypass-acl

policy-map tcp-bypass-policy

   class tcp-bypass-cm

       set connection advanced-options tcp-state-bypass

service-policy tcp-bypass-policy inside

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

You can either change the default gateway on the PC to be the router ip address: 192.168.1.254 because if it is the ASA inside interface, there will be asymetric routing as your PC is in the same subnet and the ASA will drop the connection.

Alternatively, if you still want to use the ASA as the default gateway, then you would need to configure TCP State Bypass on the ASA for traffic between the remote site and the local LAN, and the ASA will not check for the TCP state. However, that really defeats the purpose of having a firewall in place, and you might as well perform the above first option which is the easiest to implement

Hi Jennifer,

So you can confirm that having the external router connected to another interface is the best solution :-).

I have asked if it is possible to have the infreface of the other router reconfigured with another IP but I don't know if the Telco will allow us. How to do to configure TCP State Bypass on the ASA for traffic between the remote site and the local LAN?

Thanks,

Dario

Ahh OK, telco router.

You can quickly test if it's working by configuring the PC with static routes for 192.168.8.0/24 pointing towards the router (192.168.1.254).

Here is sample configuration on TCP State Bypass:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

access-list tcp-bypass-acl permit tcp 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list tcp-bypass-acl permit tcp 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0

class-map tcp-bypass-cm

   match access-list tcp-bypass-acl

policy-map tcp-bypass-policy

   class tcp-bypass-cm

       set connection advanced-options tcp-state-bypass

service-policy tcp-bypass-policy inside

It worked just perfectly!!!!.

Thanks!

Dario

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers