cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
0
Helpful
4
Replies

Routing inside traffic.

jscott
Level 1
Level 1

I have two routers on my internal network.  I don't have the  means to draw a diagram, and I'm a noob when it comes to Cisco.

10.10.199.106 is a Cisco ASA5510.

10.10.199.108 is a Sonicwall NSA 3500

The sonicwall handles our site to site VPN tunnels.  The Cisco handles our client to site VPN connections.

I have a unit that points to 10.10.199.106 (Cisco) for internet access.  All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.

The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.

I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel.  The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.

Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway.  However, I cannot hit the unit that uses .106 (Cisco) as it's gateway. 

I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel.  If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.

It does not work.  I know I'm probably either stupid or missing something small.  Can anyone help?

Thanks,.

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I have no idea how NAS devices are configured. Is there possibility to add a specific route for the remote network with the correct gateway address on the NAS device itself?

If not you could try checking if you have the following command on the ASA

"same-security-traffic permit intra-interface"

This permits traffic to enter and leave the same interface which to my understanding is what you are looking for.

You can confirm your current settings by issuing the command "show run same-security-traffic"

- Jouni

Hi Jouni.

The NAS is just a computer with lots of hard drive space.  I looked at the config options, and it does not have any way to specify routes on the unit.

As for the command, it did not fix the issue.  I confirmed the setting using show run same-security-traffic.

Any other suggestions?

Hi,

Sorry for asking a stupid question (as I havent used NAS devices ) but is the NAS a computer with an actual normal OS like Windows? If it is you should be able to configure a static route to it through the command line.

If you have the "same-security-traffic permit intra-interface" and maybe even the other one of them also, then I'm not totally sure what the problem is.

Is there an ACL rule on the ASA that permits the traffic? If there is can you see the connection forming on the ASA? (need to have logging level at Informational atleast) Could there be some NAT rule preventing this connection?

I have had to deal with this kind of situation only once and it was such a long time ago that I don't remember much of it. I could perhaps test the scenario here at home since I have both ASA and a Cisco router connected to Internet and both connected to the same LAN also.

Can you perhaps get some logs of an actual connection attempt?

Maybe you could even take a "packet-tracer" output of the ASA CLI and post it here

packet-tracer intput tcp

- Jouni

This is where I show my complete lack of Cisco config understanding.  I'm not sure how to create an ACL through ASDM.

The NAS is a linux box (ubuntu?).  It's just a large file server.

Review Cisco Networking for a $25 gift card