Mike,

Is this a design flaw or something on my end? I put a static route from the inside interface to the perimeter interface of my wireless router. Traffic works great both ways except for the way I mentioned earlier. I'm really at a loss here on how to resolve this.

Robert

Hi Robert,

Based on the syslog you posted originally, the problem is that traffic sourced from 192.168.3.100 destined to 192.168.2.5 does not go through the firewall at all. The ASA is only seeing traffic sourced from 192.168.2.5 destined to 192.168.3.100. Since the ASA can only see half of the bi-directional connection, it cannot properly firewall the traffic and thus drops the packets.

The solution is to fix the routing in your design such that either a) 192.168.3.100 sends traffic through the firewall before it reaches 192.168.2.5, or b) 192.168.2.5 does not send traffic for 192.168.3.100 through the firewall at all.

As Julio mentioned, TCP state bypass can be used to configure the ASA to ignore this problem and pass the traffic anyway, but this is just a workaround. Since the PIX doesn't support this feature, the workarounds listed in the above document can help get things working for you until you're ready to adjust the routing config.

-Mike

I see what you are saying, but unfortunately I don’t understand how to implement a routing change like that. Consider this. Interface inside is 192.168.1.1. The Wireless router (internet interface) is 192.168.1.7. Now, clients on the wireless side get an IP from the wireless router on the 192.168.3.0 network. Now, 3.0 can go through the firewall and access something on another vlan or another interface no problem. But, the problem is accessing devices on the 1.0 network. I rebuilt the PIX last night because there were some things going on other than this that I couldn’t rectify. The wireless router only has a default route (as it should in this case) and that is to 192.168.1.1. So, in this situation, how would I adjust the routing if it has to go to 1.1 no matter what?

Robert

Hi Robert,

If I understand the network correctly based on the above posts, you have something like this (correct me if I'm wrong):

Internet---Router---(outside)PIX(inside)---VLAN 1
                                          (vlan2)
                                              | 
                                         VLAN 2
                                              | 
                                    Wireless Router
                                              |
                                         VLAN 3
                                              |
                                    Wireless hosts

Assuming this is correct, the problem happens when wireless hosts (192.168.3.x) talk to VLAN 2 hosts (192.168.2.x), right? So the problem looks like this:

1. 192.168.3.x sends a packet for 192.168.2.x to it's default gateway (the wireless router).

2. The wireless router checks its routing table and sees that it already has an interface in the 192.168.2.x subnet, so it sends the packet directly to the destination. The PIX never sees this initial packet.

3. 192.168.2.x needs to send its response destined to 192.168.3.x. It checks its routing table and sees that it has a default gateway configured on the host that points to the PIX's VLAN 2 interface.

4. The PIX receives the packet but knowing that it never saw the SYN for the connection, it drops the 192.168.2.x host's response and the connection fails.

To fix this, you have a couple of options:

1. Add a static route on the hosts in the 192.168.2.x network that sends all traffic for 192.168.3.x to the Wireless router's interface, instead of the PIX's interface. For example, on MS Windows, this is done with the 'route add' command.

or

2. Add a static route on the Wireless Router that sends all traffic destined for 192.168.2.x to the PIX's interface instead of directly to the hosts themselves. If you choose this option, you also need to enable the 'same-security-traffic permit intra-interface' command on the PIX to allow the packet to enter and leave on the same VLAN 2 interface (this is denied by default). You also need to make sure the packet is allowed by your security policy (ACLs, NAT, etc.)

-Mike

Yes, I actually changed to the 1.0 network last night, but same scenario. Now, obviously option 2 would make sense, but I don’t think you can add a route like that. Below is the routing table from the Wireless Router.

Destination LAN IP

Subnet Mask

Gateway

Hop Count

Interface

192.168.3.0

255.255.255.0

0.0.0.0

1

LAN & Wireless

192.168.1.0

255.255.255.0

0.0.0.0

1

Internet (WAN)

224.0.0.0

240.0.0.0

0.0.0.0

1

LAN & Wireless

0.0.0.0

0.0.0.0

192.168.1.1

1

Internet (WAN)

Now, to use option 2 from your email, I would have to add a route that says 192.168.1.0 255.255.255.0 192.168.1.1. Of course, when I do that, I get “Invalid Static Route” because that route technically already exists. I wonder, if I create another VLAN specifically for a point to point connection from the interface to this router, I wouldn’t have this problem anymore. Use a /30 since I highly doubt the Wireless Router supports a /31.

Robert

Mike and Julio. Thanks again for all of your help. I ended up creating another subinterface with VLAN3 with a /30 just for the wireless router. Now everything is working correctly because the traffic being passed to the firewall is destined for a different subnet regardless of where it is going. I guess I need to invest in an ASA. I know the PIX series is powerful, but something like this just adds to the list of enhancements on the ASA side. Thanks again!

Hi Robert,

Glad to hear you were able to get this working. Just to clarify, the ASA has the same restrictions, but you would have the ability to enable TCP state bypass for the traffic as a workaround in 8.2+ as Julio mentioned.

-Mike

Yeah, that's what I meant. Thanks!

Robert

Hello Robert,

Great to hear that we could help on this.

Have a great weekend.

Julio

jcarvaja,

Through your recommendation with the tcp state bypass I was able to resolve a similar problem I'm having with an ASA at 8.4(2).  I've been going in circles for 5 hours of the 8 hour workday! Thanks so much!

Robert,

I'm glad you solved your issue.  If it wasnt for you, I would not have saw the very helpful replies from jcarvaja.

Hello Carlos,

Great to hear that my post helped you.

That is why we are here!

Regards,

Do rate posts that helps you!

Julio