11-09-2019 01:37 AM
Hi,
We have a network like below;
A PC (172.16.8.100) and an ASA (172.16.8.101) sit on the same Cisco Switch. The PC wants to communicate to a device on the outside interface (10.3.117.0/24) of the ASA. As it's a different subnet, the PC sends the packet to the default gateway/router, which has a static route - that to get to 10.3.117.0/24 it goes via 172.16.8.101.
So;
* Does EVERY packet go via the Router?
* If the Router gets disconnected/goes offline - is there no locally stored route table on the PC/Cisco Switch to manage this?
Thanks.
Solved! Go to Solution.
11-09-2019 02:07 AM - edited 11-09-2019 02:11 AM
Just to add to Leo's response.
Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .
This is called asymmetric traffic.
In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.
Jon
11-09-2019 01:46 AM
11-09-2019 02:07 AM - edited 11-09-2019 02:11 AM
Just to add to Leo's response.
Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .
This is called asymmetric traffic.
In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.
Jon
11-09-2019 02:23 AM
@Jon Marshall wrote:
Just to add to Leo's response.
Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .
This is called asymmetric traffic.
In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.
Jon
This last bit; that’s what I was hoping it would do. Seems like the smart thing to do. But does it? How can I check?
11-09-2019 02:38 AM
Assuming they have not been disabled on the router you can check the PC's routing table.
Be aware though that the PC may have a firewall blocking them and they may not necessarily use the redirect even if it is not blocked.
A lot depends on the OS.
Jon
11-09-2019 06:59 AM
Nice one.
Watching Wireshark while I perform a ping;
The default firewall rule (Echo-Request - ICMPv4-In) only includes the ICMP Code for 'Echo Request'. So you'll need to create a new Firewall rule, go to the Protocols and Ports tab, click Customize, and select all of them (or just the Redirect).
It's no solution for a long term connection fault. It seems the HOST is back to going to R1 and getting another ICMP Redirect within about 5 minutes. So it's more designed to avoid a HOST routing every packet via R1; instead it starts at R1 and then continues with R2 directly after that.
11-09-2019 09:55 AM
11-09-2019 09:48 AM
11-09-2019 10:26 AM
Hi Joe
Bad wording on my behalf.
I should have said use the ASA as the gateway for that specific host because obviously the router may well have other interfaces and other routes not pointing to the ASA.
Jon
11-10-2019 09:19 AM
hello for a while i've seen your topology to realize DG is router
but my question is Why?
if this is a sample Lab why NOT ASA is your DG
your approach in translating PC's IP to outside's IP is NAT
but why you pointing your gateway to Router
did you want to do something like PROXY ? as you wanted more security layer which we have in WSA and we have this method also from router to gateway .....
this topology
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide