This document describes scenarios where user is facing basic problems with OS 9.1
User have an ASA as default gateway in a DMZ and need let it act as router - redirecting back out of the same interface to another gw (which also is a ASA). User expected it to send an icmp redirect but as far as he can't see it.
User have defined "enabled traffic between two or mores interfaces with same sec level" and "enabled traffic between two or more hosts connected to the same interface" which must be the case here.
def gw (ASA1) = 192.168.1.1 second gw (ASA2) = 192.168.1.254
when he run trace on a client on 192.168.1.22 which is going to a nework behind ASA2 he don't find ICMP redirect - which gives him the problem that for eg. ping works fine but the tcp session he need to establish is not established. User would really prefer to avoid a router in front - and also he don't want to disable the tcp state handling trough MPF.
ICMP redirect would not be sent by the ASA device.
For U Turn of the Traffic from your Default GW ASA 1 , you might have to disable the TCP state check to get this traffic working in the current setup.
ASA's running 8.3 and higher have nat-control turned off and thus, no specific NATs are required to get the hairpinning/u-turning to work. There is one exception to this though:
If NAT rules such as the one below are present, then we would require some specific NAT'ing to be done on the ASA to allow the u-turning to occur.
object network obj-all-network
subnet 0.0.0.0 0.0.0.0.0
nat (inside,any) dynamic <ip address>
In the NAT statement above, the 'any' keyword will cause an issue due to which the u-turned traffic will fail the reverse-path check (RPF-Drop). To avoid this, one can issue a NAT statement
where obj-192.168.1.0 and obj-192.168.2.0 are the network objects that contain the subnets 192.168.1.0/24 and 192.168.2.0/24 respectively.
This NAT rule is more specific and instructs the ASA as follows:
When a packet sourced from 192.168.1.0/24 and destined to 192.168.2.0/24 reaches the inside interface of the ASA, then statically NAT the source ip of the packet from 192.168.1.X to 192.168.1.X and statically NAT the destination ip of the packet from 192.168.2.X to 192.168.2.X. This rule can be used for the return traffic from 192.168.2.X to 192.168.1.X as well i.e. it is a bi-directional NAT rule. With the above configurations in place, the ASA will permit traffic to be hairpinned/u-turned off its interface.
User recently purchased a new Cisco ASA 5515 running version 9.1 with ASDM 7.1. He was able to configure the firewall for internal access to the outside, and have remote site-to-site VPN tunnels working. However, when he try to configure static PAT and ACL for access to Web Server and SSH server, incoming traffic is being dropped by an implicit rule. Both hosts are on inside interface as he wasn't able to put them in a DMZ at that time. The hit counts stay at zero on his acl and no nat translations. He has attached a running config as well as sh access-list and sh nat.
According to your present config traffic will be dropped, you need to modify NAT config as shown below:
no nat (Inside,Outside) source dynamic any interface nat (Inside,Outside) after-auto source dynamic any interface
outside IP x.x.x.x = 22.214.171.124 SEC(config)# packet-tracer input outside tcp 126.96.36.199 5656 188.8.131.52 443 det
Result: input-interface: Outside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
SEC(config)# packet-tracer input outside tcp 184.108.40.206 5656 220.127.116.11 443 det
I have been struggling to establish route based IPSEC VPN on Cisco ASA. I have a requirement to establish route based vpn but towards a dynamic peer. I have followed all steps correctly and was able to bring up the tunnel with static pe...
Hi, We have a small office, about 20 clients on LAN.I need to allow outbound (internet) traffic from:Some (Group A / Guest PCs) clients to few websites / IP addresses only.Some (Group B) clients to all outbound traffic (unrestricted access to interne...
We have three AnyConnect Profiles (3 of Tunnel Groups - i.e A, B, C). A and B AnyConnect Tunnel Group are tied to backend RADIUS servers for authentication. I just followed below AnyConnect doc with MFA. Now Azure MFA works fine for Tunnel Group C (SAML) ...
Hi, I have installed Cisco AnyConnect Secure Mobility Client 4.10.00093 on macOS Monterey 12.4. I still getting error - No valid certificates available for authentication. I have uploaded my client certificate to login and system keychain. Is th...
I have a Cisco Asa 5506 and two interfaces ethernet, the domain https://xxxx.com.br is opening with the ip 186.xxx of the first interface, i i need it to open with the ip 177.xxx of the second interface. I have acl and nat created for domain.