This document describes scenarios where user is facing basic problems with OS 9.1
User have an ASA as default gateway in a DMZ and need let it act as router - redirecting back out of the same interface to another gw (which also is a ASA). User expected it to send an icmp redirect but as far as he can't see it.
User have defined "enabled traffic between two or mores interfaces with same sec level" and "enabled traffic between two or more hosts connected to the same interface" which must be the case here.
def gw (ASA1) = 192.168.1.1 second gw (ASA2) = 192.168.1.254
when he run trace on a client on 192.168.1.22 which is going to a nework behind ASA2 he don't find ICMP redirect - which gives him the problem that for eg. ping works fine but the tcp session he need to establish is not established. User would really prefer to avoid a router in front - and also he don't want to disable the tcp state handling trough MPF.
ICMP redirect would not be sent by the ASA device.
For U Turn of the Traffic from your Default GW ASA 1 , you might have to disable the TCP state check to get this traffic working in the current setup.
ASA's running 8.3 and higher have nat-control turned off and thus, no specific NATs are required to get the hairpinning/u-turning to work. There is one exception to this though:
If NAT rules such as the one below are present, then we would require some specific NAT'ing to be done on the ASA to allow the u-turning to occur.
object network obj-all-network
subnet 0.0.0.0 0.0.0.0.0
nat (inside,any) dynamic <ip address>
In the NAT statement above, the 'any' keyword will cause an issue due to which the u-turned traffic will fail the reverse-path check (RPF-Drop). To avoid this, one can issue a NAT statement
where obj-192.168.1.0 and obj-192.168.2.0 are the network objects that contain the subnets 192.168.1.0/24 and 192.168.2.0/24 respectively.
This NAT rule is more specific and instructs the ASA as follows:
When a packet sourced from 192.168.1.0/24 and destined to 192.168.2.0/24 reaches the inside interface of the ASA, then statically NAT the source ip of the packet from 192.168.1.X to 192.168.1.X and statically NAT the destination ip of the packet from 192.168.2.X to 192.168.2.X. This rule can be used for the return traffic from 192.168.2.X to 192.168.1.X as well i.e. it is a bi-directional NAT rule. With the above configurations in place, the ASA will permit traffic to be hairpinned/u-turned off its interface.
User recently purchased a new Cisco ASA 5515 running version 9.1 with ASDM 7.1. He was able to configure the firewall for internal access to the outside, and have remote site-to-site VPN tunnels working. However, when he try to configure static PAT and ACL for access to Web Server and SSH server, incoming traffic is being dropped by an implicit rule. Both hosts are on inside interface as he wasn't able to put them in a DMZ at that time. The hit counts stay at zero on his acl and no nat translations. He has attached a running config as well as sh access-list and sh nat.
According to your present config traffic will be dropped, you need to modify NAT config as shown below:
no nat (Inside,Outside) source dynamic any interface nat (Inside,Outside) after-auto source dynamic any interface
outside IP x.x.x.x = 18.104.22.168 SEC(config)# packet-tracer input outside tcp 22.214.171.124 5656 126.96.36.199 443 det
Result: input-interface: Outside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
SEC(config)# packet-tracer input outside tcp 188.8.131.52 5656 184.108.40.206 443 det
1. I have one 4431 ISR Router, One ASA 5516, one Ca- Switch.Which must be done:*Need to Access my 3 host server via SSH from internet with my Public IP.*Need to Access my web server from internet with my Public IP via 80 and 443.I done Static na...
Hi all,We’ve deployed FTD HA managed by FMC. Last week the primary unit had failed and we are running with only secondary FTD.And we are now planning to replace the primary unit with new FTD. Are there any ways to replace the unit without breaking the HA ...
Hello, can someone please help me with a configuration guide with requirements for integration of AD with FTD (FMC) using ISE as Identity source for captive portal authentication. Regards,Juan Carlos Arias
Hi All I want to ask a thing related this ? we have FTD/FMC and along with treat/malware license and we want to block files according to SHA-256 , SHA1 and MD5 signatures. There is no problem with SHA-256 because we can add custom fi...
I have configured my access switch interfaces with DOT1X authentication from Radius server. And my end host connected with these interfaces are getting their IP from DHCP server. But since my end host clients are not able to authenticate successfully, hen...