Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
5
Replies

Routing in ASA

Go to solution
alex.dersch
Level 4
Level 4

‎02-09-2011 10:38 AM - edited ‎03-11-2019 12:48 PM

Hello Members,

i have a routing problem with with my asa. The ASA has an inside (172.16.2.25) and outside interface (public IP address) and a management interface (10.0.128.2) which is not the default gateway for the management LAN. In the management LAN there are also Cisco LMS and other Network Tools. On the Inside interface are the local LAN's.

The ospf process is also running distributing all the required networks to the ASA. The management LAN has a Metric of 0 because it is a connected network and this causes asymetric routing behaviour when packets coming from the inside interface to the management LAN. Inside packets hitting the outside interface and leaving the ASA through the management interface and the return packets leaving through the default gateway.

I tried static routing on the ASA for packets with destination to my management LAN with default interface Inside. This works but after a while it goes back to the management interface and i have no idea why. Somehow the static route to the management lan is not persistent.

thanks in advanced

alex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to PAUL GILBERT ARIAS

‎02-09-2011 04:41 PM

This is classic asymmetry issue that we see quiet often.

Once solution to this is to have a route-map on the inside router/switch to set the next-hop as the mgmt interface IP of the ASA based on the source IP and destination IP.

-KS

View solution in original post

0 Helpful
5 Replies 5

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-09-2011 11:19 AM

is it possible for you to load a sanitized version of your config?

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to PAUL GILBERT ARIAS

‎02-09-2011 04:41 PM

This is classic asymmetry issue that we see quiet often.

Once solution to this is to have a route-map on the inside router/switch to set the next-hop as the mgmt interface IP of the ASA based on the source IP and destination IP.

-KS

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to PAUL GILBERT ARIAS

‎02-10-2011 12:40 AM

Hi Paul,

here come the config.

thanks for having a look at it.

regards

alex


ASA Version 8.3(1)
!
terminal width 511

names
dns-guard
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address Public IP Address 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 172.16.2.25 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface Management0/0
nameif MANAGEMENT
security-level 100
ip address 10.0.128.2 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup INSIDE
dns domain-lookup MANAGEMENT
dns server-group DNS-GROUP_BS
name-server 10.0.128.10
name-server 172.28.1.2
name-server 172.28.1.3


pager lines 24
logging enable
logging timestamp
logging list UserAuth level emergencies class auth
logging asdm-buffer-size 512
logging console warnings
logging monitor debugging
logging trap notifications
logging history notifications
logging asdm debugging
logging host MANAGEMENT 10.0.128.11
logging permit-hostdown
flow-export destination INSIDE 10.0.128.5 2055
flow-export delay flow-create 15
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MANAGEMENT 1500
ip verify reverse-path interface OUTSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400


!
router ospf 1
router-id 172.16.2.25
network 172.16.2.24 255.255.255.248 area 0
network 172.24.5.0 255.255.255.0 area 0
network 172.24.6.0 255.255.255.0 area 0
network 192.168.254.112 255.255.255.240 area 0
area 0
log-adj-changes detail
redistribute static metric-type 1 subnets
default-information originate always metric 1
!
route OUTSIDE 0.0.0.0 0.0.0.0 194.209.59.1 1
route INSIDE 10.0.128.0 255.255.255.0 172.16.2.30 1
route INSIDE 10.0.128.1 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.3 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.4 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.5 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.6 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.7 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.8 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.9 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.10 255.255.255.255 172.16.2.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 MANAGEMENT
http 0.0.0.0 0.0.0.0 INSIDE
snmp-server host INSIDE 10.0.128.11 poll community ***** version 2c
snmp-server host INSIDE 10.0.128.5 poll community ***** version 2c
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 MANAGEMENT
ssh timeout 30
console timeout 0
management-access MANAGEMENT
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.0.128.0 255.255.255.0
threat-detection scanning-threat shun duration 60
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.128.1 source MANAGEMENT prefer

!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp error
  inspect icmp
class global-class
  flow-export event-type all destination 10.0.128.5

: end

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to alex.dersch

‎02-10-2011 06:06 AM

I think there might be a problem with this:

interface Management0/0

nameif MANAGEMENT

security-level 100

ip address 10.0.128.2 255.255.255.0

route INSIDE 10.0.128.0 255.255.255.0 172.16.2.30 1

Your management interface is 10.0.128.0/24 and there is a route for that same subnet but going through the inside. The prefered route should be the directly connected in this case the interface m0/0.

Is that something you have noticed before?

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to PAUL GILBERT ARIAS

‎02-10-2011 07:14 AM

Hello Paul,

no i want traffic to and from the devices in the management LAN  going through the inside interface It's working now i configured a route map on the default

gateway in this VLAN.


But thank you for your support.

regards

alex

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card