Solved: Re: Problem Routing Traffic between 2 ASA 5506x

mon_samonte · ‎01-22-2018

Hi Support Community,

I would like to seek your help regarding my Cisco ASA 5506x routing issue.

Based on the diagram, i was able to ping from host 172.16.53.200 to 222.127.9.172 using 172.16.53.253 as gateway. But when i changed the gateway from 172.16.53.253 to 172.16.53.254, the ping stops and when i run packet-tracer, it indicates ACL problem although I already allowed all traffic.

What i need to accomplished is to access the 222.127.9.172 PC using 172.16.53.254 as gateway.

Hope you could me on this.

Thanks and regards,

Mon

########################################

ASA Version 9.8(1)7
!
hostname IPVPN
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip add 1.1.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip add 172.16.53.254 255.255.254.0
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
access-list inside_access_in extended permit ip
172.16.52.0 255.255.254.0 object obj_any
access-list outside_access_in extended permit ip object
obj_any 172.16.52.0 255.255.254.0
!
nat (inside,outside) source dynamic obj_any interface
!
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.26.1
route inside 10.10.26.0 255.255.255.0 172.16.53.253 10
route inside 222.127.9.0 255.255.255.0 172.16.53.253 10
!
policy-map global_policy
class inspection_default
inspect icmp
!

################################################################

ASA Version 9.8(1)7
!
hostname IPVPN
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip add 10.10.26.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip add 172.16.53.253 255.255.254.0
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
access-list inside_access_in extended permit ip 172.16.52.0 255.255.254.0 object obj_any
access-list outside_access_in extended permit ip object obj_any 172.16.52.0 255.255.254.0
!
nat (inside,outside) source dynamic obj_any interface
!
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.26.1
!
policy-map global_policy
class inspection_default
inspect icmp
!

Bogdan Nita · ‎01-23-2018

Hi Mon,

ASA is a firewall and because of that it likes having the all traffic go through it.

Configuration can be applied to override this settings, but it will affect the level of security the ASA can offer.

Because of that the recommended design would be to have one ASA.

If you want to make your design work the only solution is configuring tcp bypass.

HTH

Bogdan

View solution in original post

Bogdan Nita · ‎01-22-2018

You will need to enable same-security permit intra-interface and disable the TCP state check.

https://supportforums.cisco.com/t5/security-documents/hairpin-u-turn-traffic-off-an-interface-on-an-asa-running-8-3-or/ta-p/3129668

HTH

Bogdan

mon_samonte · ‎01-22-2018

Hi Bogdan,

Good Day and thanks for the quick reply.

I've already apply the commands same-security and tcp bypass on both ASA but unfortunately i still can't access the 222.x.x.x network using 172.16.53.254 as gateway.

Based on my diagram, can you suggest a better way to route traffic between 2 ASA's?

The Problem i encountered is this:

1. When I used the 172.16.53.254 as gateway, there is a internet connection but cannot access 222.x.x.x network.

2. When I used the 172.16.53.253 as gateway, I can access the 222.x.x.x network but no internet connection.

What I'm trying to achieve is:

1. Use 172.16.53.254 as gateway and can access both Internet and 222.x.x. network.

I tried to simulate using only 1 ASA and it's working fine but the problem occur when I added another ASA on the network.

Is there a better way to configure the 2 ASA & route traffic using 172.16.53.254 as gateway?

Thanks and really appreciate your help!

regards,

Mon

Bogdan Nita · ‎01-23-2018

Hi Mon,

ASA is a firewall and because of that it likes having the all traffic go through it.

Configuration can be applied to override this settings, but it will affect the level of security the ASA can offer.

Because of that the recommended design would be to have one ASA.

If you want to make your design work the only solution is configuring tcp bypass.

HTH

Bogdan

mon_samonte · ‎01-26-2018

mon_samonte · ‎01-26-2018

Thanks again & God Bless...