cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

276
Views
5
Helpful
9
Replies
Beginner

Do all packets go through Router?

Hi,

 

We have a network like below;

Capture.JPG

A PC (172.16.8.100) and an ASA (172.16.8.101) sit on the same Cisco Switch. The PC wants to communicate to a device on the outside interface (10.3.117.0/24) of the ASA. As it's a different subnet, the PC sends the packet to the default gateway/router, which has a static route - that to get to 10.3.117.0/24 it goes via 172.16.8.101.

 

So;

* Does EVERY packet go via the Router?

* If the Router gets disconnected/goes offline - is there no locally stored route table on the PC/Cisco Switch to manage this?

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Guru

Re: Do all packets go through Router?

 

Just to add to Leo's response. 

 

Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .

 

This is called asymmetric traffic. 

 

In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.

 

Jon

View solution in original post

9 REPLIES 9
Hall of Fame Community Legend

Re: Do all packets go through Router?

1. Yes.
2. No because of routing.
Hall of Fame Guru

Re: Do all packets go through Router?

 

Just to add to Leo's response. 

 

Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .

 

This is called asymmetric traffic. 

 

In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.

 

Jon

View solution in original post

Beginner

Re: Do all packets go through Router?


@Jon Marshall wrote:

 

Just to add to Leo's response. 

 

Every packet from the PC to the outside device goes via the router but the return packets don't, they go direct from the ASA to the device because they are in the same subnet .

 

This is called asymmetric traffic. 

 

In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway instead because the router realises it is having to forward the traffic out of the same interface it received it on which is not optimal in terms of routing.

 

Jon


 

This last bit; that’s what I was hoping it would do. Seems like the smart thing to do. But does it? How can I check? 

Hall of Fame Guru

Re: Do all packets go through Router?

 

Assuming they have not been disabled on the router you can check the PC's routing table.

 

Be aware though that the PC may have a firewall blocking them and they may not necessarily use the redirect even if it is not blocked. 

 

A lot depends on the OS. 

 

Jon

Highlighted
Beginner

Re: Do all packets go through Router?

Nice one.

Watching Wireshark while I perform a ping;

  1. 1st packet gets sent to the MAC address of the gateway/router (R1).
  2. The router responds with a ICMP Redirect, informing the HOST to use the new gateway address (R2; the ASA).
  3. 2nd packet is sent directly to the ASA (R2)

Untitled.png

The default firewall rule (Echo-Request - ICMPv4-In) only includes the ICMP Code for 'Echo Request'. So you'll need to create a new Firewall rule, go to the Protocols and Ports tab, click Customize, and select all of them (or just the Redirect).

 

It's no solution for a long term connection fault. It seems the HOST is back to going to R1 and getting another ICMP Redirect within about 5 minutes. So it's more designed to avoid a HOST routing every packet via R1; instead it starts at R1 and then continues with R2 directly after that.

VIP Expert

Re: Do all packets go through Router?

"It seems the HOST is back to going to R1 and getting another ICMP Redirect within about 5 minutes."

Yea, timeouts are common for such, to insure you don't keep using information that's stale. This is similar to ARPing for the IP's MAC. It too will age out (when not being actively used).

In the case of the redirect, consider the router had another, "better", path that didn't hairpin back onto the host network. It was sending your traffic using that path, but the path goes down, i.e. the ASA path is "backup". Your host gets redirected, but then the primary path comes back on-line.

Your host might have an option somewhere to determine how long to "hold" the redirect information.
VIP Expert

Re: Do all packets go through Router?

"In addition if you have icmp redirects enabled on the router you may find that the router informs the PC to use the ASA as the default gateway . . ."

Jon, I don't recall an ICMP redirect passing the default route or indicating any change to the host's default gateway. Are you sure on that?

I believe it will always pass back the destination IP. If so, the sending host will fill its local route table with a set of host routes, each destination, via the ASA, using the ASA as the next hop. (Much like a Cisco router with a default route to just an egress interface.) For a typical host, this shouldn't be a problem, but if the host were something like a busy "public" web server, it might be a problem. (Just as it sometimes is on Internet facing Cisco routers, configured as just noted.)
Hall of Fame Guru

Re: Do all packets go through Router?

 

Hi Joe 

 

Bad wording on my behalf. 

 

I should have said use the ASA as the gateway for that specific host because obviously the router may well have other interfaces and other routes not pointing to the ASA. 

 

Jon

Beginner

Re: Do all packets go through Router?

hello for a while i've seen your topology to realize DG is router

but my question is Why?

if this is a sample Lab why NOT ASA is your DG

your approach in translating PC's IP to outside's IP is NAT

but why you pointing your gateway to Router

did you want to do something like PROXY ? as you wanted more security layer which we have in WSA and we have this method also from router to gateway .....

this topology

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards