Re: Cisco Packet Tracer - Firewall vs Router: intra-interface Routing

juandcc2014 · ‎11-01-2025

Hello, Everyone.

I am currently trying to setup 2 networks, 192.168.1.0 and 192.168.2.0, so that they can ping each other(and eventually talk to each other). However they are to communicate with each other using firewalls, specifically the ASA 5506-X. Here is the network setup

My goal is to have the ASA0(1)(1) with 192.168.0.3 ip address to act as a default gateway to not only the devices on that LAN(192.168.0.0), but also as a default route for the other 2 ASAs, ASA0(192.168.0.1) and ASA0(1)(192.168.0.2). Here are some notes about the firewalls:

- All of the interfaces in use(GE1/1 and GE1/2) have same security level of 100 and are up('no shut')

- All of the inspect icmp via policy-map global_policy

- Firewalls 192.168.0.1 and 192.168.0.2 have static routes: 'ip route 0.0.0.0 [name of interface connected to switch] 0.0.0.0 192.168.0.3'

And here is the flow of a ping packet from 192.168.1.10 to 192.168.2.10(assuming that enough pings have gone through the firewalls so that there is no ping timeouts and there are actual replies):

Performing a test from 192.168.1.10 to 192.168.2.10

- 192.168.0.1 routes to directly 192.168.0.2 instead of going to 192.168.0.3 first. Then 192.168.0.2 routes the packet to the destination 192.168.2.10

On the return:

- 192.168.0.2 routes directly to 192.168.0.1 instead of going to 192.168.0.3 first. Then 192.168.0.1 routes the packet to the destination 192.168.1.10

Now, if I were to replace all the ASAs with routers(I used 2901 ISR) and give them the static route of 'ip route 0.0.0.0 0.0.0.0 192.168.0.3' and were to observe the flow of the ping packets from 192.168.1.0 to 192.168.2.10, I would actually see the 192.168.0.3 actually being used to route the packets from 192.168.0.1 to 192.168.0.2 and vice versa before the packet reaches their intended destinations.

Further, I have attached the cisco packet tracer file(called 'router vs asa.pkt'), which shows both the network with all ASAs and the network with all ISRs. It is attached as a .zip file since the website won't allow .pkt files. Here is a network of both networks side to side(shown in the file).

I just do not understand what is going on and why it is not working on the 5506-X as it works on the 2901 ISRs. Any help is appreciated and forgive for any misunderstanding of confusion, I am relatively new to networking stuff.

In summary: I am trying to have one router/firewall perform the routing between the other networks via intra interface routing(packet comes out from which it first came from). I first used Cisco 5506-X firewalls with security level 100 + inspect icmp + default route that leads to ASA that is to perform routing to the destination network. That didn't work. But replacing the ASAs with 2901 ISRs did the trick. The question is: What can I do on the ASA for it to work as intended like the ISRs do?

M02@rt37 · ‎11-02-2025

Hello @juandcc2014

ASAs not forward trafic back out the same interface on a flat LAN unless the design forces them to route rather than switch...

Try to separate the ASAs into different subnets or point-to-point links so routing actually occurs.

Thanks in advance for your feedback

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

juandcc2014 · ‎11-02-2025

M02@rt37 wrote:
ASAs not forward trafic back out the same interface on a flat LAN unless the design forces them to route rather than switch...

Is there a way to force the firewall to forward traffic back out the same interface while keeping the network's design as it is(flat LAN) via some commands(ACLs, global_policy, security levels, etc)?

M02@rt37 · ‎11-02-2025

Hello @juandcc2014

Yes, just enable same-security-traffic permit intra-interface command that permit trafic with an ACL, and ensure routes/NAT are correct.

https://www.networkstraining.com/permitting-traffic-to-enter-and-exit-the-same-interface-same-security-traffic-permit/

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

elwin-berrar · ‎11-02-2025

Hi @juandcc2014,

That’s expected. ASAs don’t route traffic back out the same interface unlike routers. If you want it to work in your flat LAN, enable: ``` same security traffic permit intra interface ```

But the best fix is to separate the ASAs into different subnets or point to point links so real routing happens. ASAs are firewalls first, not routers.

juandcc2014 · ‎11-02-2025

Since Packet Tracer is very limited in commands, that same security traffic permit intra interface command does not work. So I recreated this entire network physically(same firewalls, same switches, and some end devices for ping tests). However, even with
- same-security-traffic permit intra-interface and

- inspect ICMP on global_policy

- and static default routes on each firewall towards the fw acting as default gateway: route [interface name of fw connected to switch] 0.0.0.0 0.0.0.0 192.168.0.3

The routing just won't work.

Your quote: " ASAs are firewalls first, not routers." is very nice and I will remember it through my networking journey. It's just that I was wondering if it's possible to even have my setup working, though, before I completely give up on this idea and just implement the other alternatives suggested by you and M02@rt37 or outright use routers.

So are there any workarounds for this setup to function? I have a feeling it has to do with ACLs