Scenario:
Internet-->ASA(192.168.1.1)----(192.168.1.0/24)---->(192.168.1.254)Router---->172.16.10.0/24
Requirement:
192.168.1.0/24 network needs to talk to 172.16.10.0/24 network, default gateway on 192.168.1.0/24 machines is the interface of ASA(192.168.1.1).
By default ASA won't allow the traffic to leave same interface on which it enters. Thus when 192.168.1.0/24 machines try to go to 172.16.10.0/24 subnet, here is how the communication happens:
- 192.168.1.10 (any machine on 192.168.1.0/24 network with gateway set to 192.168.1.1) opens a TCP connection to 172.16.10.10 (machine on 172.16.10.0/24 subnet) the initial SYN packet of TCP 3-way handshake goes through ASA, which has a route to 172.16.10.0/24 network pointing to 192.16.1.254.
- By default ASA won't allow this u-turn. We can add following command to override this behavior:
same-security-traffic permit intra-interface
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1421315
- Because of above command ASA will forward the SYN packet to 192.168.1.254 which further forwards it to actual destination 172.16.10.10.
- 172.16.10.10 responds with SYN,ACK destined to 192.168.1.10, this packet arrives on router and since 192.168.1.0/24 is directly connected to it instead of sending this to ASA it does arp broadcast for 192.168.1.10 and directly sends packet to machine (assuming proxyarp on inside is disabled).
- 192.168.1.10 sends ACK (3rd packet of TCP 3 way handshake) again through ASA, but since ASA hasn't seen SYN,ACK for this connection it will drop it and thus communication is unsuccessful.
Configuration
Here are the commands that we can add on ASA to accomplish this:
Pre 8.2:
Configuring NAT for both subnets:
nat (inside) 1 192.168.1.0 255.255.255.0
global (inside) 1 interface
static (inside,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0 norandom nailed
Adding the nailed option to the static command causes TCP state tracking and sequence checking to be skipped for the connection. More info can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466
same-security-traffic permit intra-interface
sysopt noproxyarp inside
failover timeout -1
Info on sysopt noproxyarp and failover timeout command:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1931598
8.2 onwards:
Configuring NAT for both subnets (without nailed option):
nat (inside) 1 192.168.1.0 255.255.255.0
global (inside) 1 interface
static (inside,inside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
same-security-traffic permit intra-interface
sysopt noproxyarp inside
Configuring TCP-STATE-BYPASS on ASA: norandomseq nailed command is deprecated and now we use this feature to accomplish the same thing. Also with config mentioned below we do not need "failover timeout" command anymore.
NOTE: Match only required traffic as this feature will force ASA to only check for interface acl, all other security checks are disabled for traffic matching this flow.
access-list TCP-STATE-BYPASS permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
class-map TCP-STATE-BYPASS
match access-list TCP-STATE-BYPASS
policy-map inside_policy
class TCP-STATE-BYPASS
set connection advanced-options tcp-state-bypass
service-policy inside_policy interface inside
With the config above ASA allows asymmetric routing for above flow.
- Sourav Kakkar