ā10-14-2012 05:06 PM - edited ā03-11-2019 05:08 PM
Hi Guys.
I need your help to configure a Cisco ASA 5510.
Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
1. The Subnet of the main office (192.168.1.253)
2. A router (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
I have so allowed any traffic incoming to the inside interface as follows:
access-list inside_access_in extended permit ip any any
and I have permitted traffic intra interface as follows:
same-security-traffic permit intra-interface
Then I created a static route:
route inside 192.168.8.0 255.255.255.0 EXTERNAL_ROUTER 1
Now I can successfully ping the destination:
Pinging 192.168.8.10 with 32 bytes of data:
Reply from 192.168.8.10: bytes=32 time=135ms TTL=123
Reply from 192.168.8.10: bytes=32 time=146ms TTL=123
Reply from 192.168.8.10: bytes=32 time=143ms TTL=123
Reply from 192.168.8.10: bytes=32 time=188ms TTL=123
Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the conncections from "inside" (firewall) does not allow the connection.
It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.
Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
Please help :-(
Thanks,
Dario Vanin
Solved! Go to Solution.
ā10-14-2012 05:31 PM
You can either change the default gateway on the PC to be the router ip address: 192.168.1.254 because if it is the ASA inside interface, there will be asymetric routing as your PC is in the same subnet and the ASA will drop the connection.
Alternatively, if you still want to use the ASA as the default gateway, then you would need to configure TCP State Bypass on the ASA for traffic between the remote site and the local LAN, and the ASA will not check for the TCP state. However, that really defeats the purpose of having a firewall in place, and you might as well perform the above first option which is the easiest to implement
ā10-14-2012 06:03 PM
Ahh OK, telco router.
You can quickly test if it's working by configuring the PC with static routes for 192.168.8.0/24 pointing towards the router (192.168.1.254).
Here is sample configuration on TCP State Bypass:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
access-list tcp-bypass-acl permit tcp 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list tcp-bypass-acl permit tcp 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
class-map tcp-bypass-cm
match access-list tcp-bypass-acl
policy-map tcp-bypass-policy
class tcp-bypass-cm
set connection advanced-options tcp-state-bypass
service-policy tcp-bypass-policy inside
ā10-14-2012 05:31 PM
You can either change the default gateway on the PC to be the router ip address: 192.168.1.254 because if it is the ASA inside interface, there will be asymetric routing as your PC is in the same subnet and the ASA will drop the connection.
Alternatively, if you still want to use the ASA as the default gateway, then you would need to configure TCP State Bypass on the ASA for traffic between the remote site and the local LAN, and the ASA will not check for the TCP state. However, that really defeats the purpose of having a firewall in place, and you might as well perform the above first option which is the easiest to implement
ā10-14-2012 05:48 PM
Hi Jennifer,
So you can confirm that having the external router connected to another interface is the best solution :-).
I have asked if it is possible to have the infreface of the other router reconfigured with another IP but I don't know if the Telco will allow us. How to do to configure TCP State Bypass on the ASA for traffic between the remote site and the local LAN?
Thanks,
Dario
ā10-14-2012 06:03 PM
Ahh OK, telco router.
You can quickly test if it's working by configuring the PC with static routes for 192.168.8.0/24 pointing towards the router (192.168.1.254).
Here is sample configuration on TCP State Bypass:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
access-list tcp-bypass-acl permit tcp 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list tcp-bypass-acl permit tcp 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
class-map tcp-bypass-cm
match access-list tcp-bypass-acl
policy-map tcp-bypass-policy
class tcp-bypass-cm
set connection advanced-options tcp-state-bypass
service-policy tcp-bypass-policy inside
ā10-19-2012 09:57 PM
It worked just perfectly!!!!.
Thanks!
Dario
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide