Solved: Source and destination ip under same interface of ASA

mahesh18 · ‎05-10-2013

Hi Everyone,

i was checking some rule on ASA to find specfic port open on the destination IP or not? and was given source and destination subnets.

Object group network was used for this.

Found that say we have interface Cisco

say interface of ASA is on subnet 172.30.100.x

We have network object groups came x and y

X has subnet 172.30.10.x ------------------source

Y has subnet 172.30.250.x -------------------------------destination

We can see that ASA interface and network objects all 3 are of different network.

Need to know as source and destinations are under same ASA interface but under different subnets is the traffic flow from source to destination will

pass through ASA or not?

Thanks

Mahesh

Jouni Forss · ‎05-10-2013

Hi Mahesh,

If your interface network is for example 172.30.100.0/24 and the source and destination networks are 172.30.10.0/24 and 172.30.250.0/24

THEN if the source and destination networks are both routed out from interface Cisco then the traffic SHOULD NOT go through the ASA at all.

- Jouni

View solution in original post

Jouni Forss · ‎05-10-2013

Hi,

Naturally you can have many different subnets behind another interface. Most of the time in those cases you WONT need ACL rules to allow traffic between them as the traffic shouldnt go through the ASA at all at any point between those 2 subnets.

What you need to confirm (if I understood you correctly)

You have an interface for example

interface GigabitEthernet0/0

nameif Cisco

security-level 100

ip add 172.30.100.1 255.255.255.0

Then IF you have the following routes for example

route Cisco 172.30.10.0 255.255.255.0 172.30.100.x

route Cisco 172.30.250.0 255.255.255.0 172.30.100.x

Then this would mean that the 2 networks that have routes on the same interface of the ASA would communicate between eachother through some router behind the interface "Cisco" (Router 172.30.100.x)

So in a typical setup the traffic between the 2 subnets in this case SHOULDNT go through the ASA at any point.

But you will have to confirm the above configurations refeclet your current situation.

- Jouni

View solution in original post

Jouni Forss · ‎05-10-2013

Hi,

You can use the following command to list all static routes on the ASA

show run route

If you want to check routes for a certain interface then you can use the following command

show run route | inc

Then you can naturally in this case try to use also the commands

show run route | inc 172.30.10

show run route | inc 172.30.250

And they should list static routes for the networks

Naturally you can also simply go through the routing table and find the routes for those 2 networks

show route

Basicly lets say if you see something like this in the configuration output

route Cisco 172.30.10.0 255.255.255.0 172.30.100.2

route Cisco 172.30.250.0 255.255.255.0 172.30.100.2

It means those 2 networks are found behind the same router behind the ASA interface Cisco. Since they are found on the same router behind the ASA then the router doesnt really have the need to route the traffic between those networks to the ASA at any point.

It will simply see a route on itself to the other network and has no need to send the traffic to ASA.

But naturally all these things have to be confirmed in the configurations and routing tables of the devices

If you have multiple routers behind single ASA interface there is possibility that traffic would go through the ASA but to determine if this is the case I would have to know how the routing table/configurations look like on the ASA

- Jouni

View solution in original post

Jouni Forss · ‎05-10-2013

Hi Mahesh,

If your interface network is for example 172.30.100.0/24 and the source and destination networks are 172.30.10.0/24 and 172.30.250.0/24

THEN if the source and destination networks are both routed out from interface Cisco then the traffic SHOULD NOT go through the ASA at all.

- Jouni

mahesh18 · ‎05-10-2013

Hi Jouni,

Is this normal to have source and destination having different subnets under same ASA interface?

When you say should not go through the ASA does it mean traffic will passthrough the ASA but no rules will apply to it?

Need more explanation on this.

Regards

MAhesh

Jouni Forss · ‎05-10-2013

Hi,

Naturally you can have many different subnets behind another interface. Most of the time in those cases you WONT need ACL rules to allow traffic between them as the traffic shouldnt go through the ASA at all at any point between those 2 subnets.

What you need to confirm (if I understood you correctly)

You have an interface for example

interface GigabitEthernet0/0

nameif Cisco

security-level 100

ip add 172.30.100.1 255.255.255.0

Then IF you have the following routes for example

route Cisco 172.30.10.0 255.255.255.0 172.30.100.x

route Cisco 172.30.250.0 255.255.255.0 172.30.100.x

Then this would mean that the 2 networks that have routes on the same interface of the ASA would communicate between eachother through some router behind the interface "Cisco" (Router 172.30.100.x)

So in a typical setup the traffic between the 2 subnets in this case SHOULDNT go through the ASA at any point.

But you will have to confirm the above configurations refeclet your current situation.

- Jouni

mahesh18 · ‎05-10-2013

Hi jouni,

To verify that traffic does not pass through the ASA i have to check that route command for both different subnets has interface Cisco IP address as next hop?

Thanks

Jouni Forss · ‎05-10-2013

Hi,

You can use the following command to list all static routes on the ASA

show run route

If you want to check routes for a certain interface then you can use the following command

show run route | inc

Then you can naturally in this case try to use also the commands

show run route | inc 172.30.10

show run route | inc 172.30.250

And they should list static routes for the networks

Naturally you can also simply go through the routing table and find the routes for those 2 networks

show route

Basicly lets say if you see something like this in the configuration output

route Cisco 172.30.10.0 255.255.255.0 172.30.100.2

route Cisco 172.30.250.0 255.255.255.0 172.30.100.2

It means those 2 networks are found behind the same router behind the ASA interface Cisco. Since they are found on the same router behind the ASA then the router doesnt really have the need to route the traffic between those networks to the ASA at any point.

It will simply see a route on itself to the other network and has no need to send the traffic to ASA.

But naturally all these things have to be confirmed in the configurations and routing tables of the devices

If you have multiple routers behind single ASA interface there is possibility that traffic would go through the ASA but to determine if this is the case I would have to know how the routing table/configurations look like on the ASA

- Jouni

mahesh18 · ‎05-10-2013

Hi Jouni,

I will check the routing table to know whats the default static route there and will let you know.

Regards

MAhesh

mahesh18 · ‎05-13-2013

Hi Jouni.

I found this on the ASA

route Cisco 172.30.10.0 255.255.255.0 172.30.100.2

route Cisco 172.30.250.0 255.255.255.0 172.30.100.2

Seems now it confirms that both subnets are behind the same ASA interface and Router.

Regards

MAhesh