cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
0
Helpful
3
Replies

Route redirecting

l.cantrell
Level 4
Level 4

I'm having an issue with an ASA 5505 not redirecting packets that enter it's inside interface to be redirected back out it's inside interface to a second network.

The way it's currently setup is that the ASA has it's inside interface at 192.168.2.1 it then connects to a Linksys switch which has workstations connecting to it. The workstations have their default gateway pointed to the .1 address. The Linksys however also connects to a Cisco 3550 which is part of a 172.25.0.0 network. I have carved out a port on the 3550 and given it an IP in the 192.168.2.0 address space. From here I added an OSPF route to 192.168.2.0 on the 3550 which is configured for routing. Then on the ASA I added a route for 172.25.0.0. From any workstation inside the 172.25.0.0 network I can ping the firewall at 192.168.2.1 but not any workstation. From the workstations on the 192.168.2.0 network I can ping the 192.168.2.52 address of the port on the Cisco 3550 but not the switch itself or anything in the 172.25.0.0 network. Any suggestions on how to make this work would be great thanks.

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Hi

What version of code is your ASA running. Prior to v7.2 it did not support hairpinning of unencrypted traffic which is the ability to route traffic back out the same interface it came in on. This sounds like your problem. I think your 192.168.2.x clients when pinging the 192.168.2.52 address on the 3550 are not going via the ASA but when they try to ping anything in 172.25.0.0 network they are.

Check version of ASA and if above v7.2 you need to enable hairpinning.

Another solution which would work is to move 192.168.2.1 to the 3550 and have that responsible for the routing. Then have a default-route on the 3550 pointing to the ASA. This is only a solution if you do not need/want to firewalll traffic between 192.168.2.x and 172.25.0.0 networks.

HTH

Jon

The version of code on the ASA is 7.2. I enabled hairpinning by using the global command same-security-traffic permit intra-interface . However, I am still have the same issue, is their another way to enable hairpinning that I am missing? Again thanks for the help.

If you moved 192.168.2.1 to the 3550, what would the IP of the interface on the ASA's inside interface become?

Review Cisco Networking for a $25 gift card