Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1807
Views
5
Helpful
22
Replies

ASA 5505, Static routing issue.

AndrewShadid
Level 1
Level 1

‎08-05-2013 11:51 AM - edited ‎03-07-2019 02:45 PM

Hello all,

I have an ASA 5505 that I just recently setup. It is functioning correctly in all regards except one:

I have a static route inside 192.168.2.0 255.255.255.0 192.168.1.3 1 that allows me to ping anything in the 192.168.2.0 network but am unable to pass any IP traffic.

The inside IP address of the ASA is 192.168.1.1 and the route gateway 192.168.1.3 is simply another router with a P2P connected to 192.168.2.0

When I add the route to a workstation routing table everything works fine. It appears the ASA is blocking something.

Any thoughts?

Thanks

Andrew

Labels:
0 Helpful
22 Replies 22

John Blakley
VIP Alumni
VIP Alumni
In response to AndrewShadid

‎08-06-2013 09:20 AM

I'll try to lab this up at lunch and see what I can come up with....

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Mike Williams
Level 5
Level 5

‎08-05-2013 09:41 PM

I believe you are facing an asymmetric routing issue, which the ASA doesn't support by default. The return traffic from the 192.168.2 network will not hit the firewall, so it thinks the connection is incomplete and blocks further packets from that session. This is due to stateful packet inspection. Here is an example for performing the stateful bypass:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html

Sent from Cisco Technical Support Android App

mvsheik123
Level 7
Level 7
In response to Mike Williams

‎08-06-2013 09:04 AM

Hi Andrew,

I guess the ASA NAT rules preceding over your routing. Can you to a packet tracer from ASA?

Ex: packet-tracer input inside tcp 192.168.1.10 80 192.168.2.20 80

Thx

MS

0 Helpful

AndrewShadid
Level 1
Level 1
In response to mvsheik123

‎08-06-2013 09:12 AM

MBNY1ASA1# packet-tracer input inside tcp 192.168.1.10 80 192.168.2.10 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.2.0     255.255.255.0   inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect http

service-policy global_policy global

Additional Information:

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 286357, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

0 Helpful

mvsheik123
Level 7
Level 7
In response to AndrewShadid

‎08-06-2013 09:23 AM

Looks like Nat (related ipsec) configs kicking in for the traffic.

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Can you temporarily disable NAT (and Static nat) and try to access (leaving the static route). if this is production environment, make sure you have main window.

Thx

MS

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to AndrewShadid

‎08-06-2013 12:52 PM

Andrew,

Mike is 100% correct in the asymmetrical routing comment. I had the same problem as you, and this is how I fixed it.

I did all of this in GNS, so I'm hoping this will resolve your issue:

access-list bypass extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

class-map bypass

match access-list bypass

class-map default

match default-inspection-traffic

policy-map ServicePolicy

class default

  inspect http

class bypass

  set connection advanced-options tcp-state-bypass

service-policy ServicePolicy global

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Mike Williams
Level 5
Level 5
In response to John Blakley

‎08-06-2013 06:05 PM

IIRC you also need to explicitly disable NAT when doing state bypass.

Try adding John's config and the following NAT line:

nat (inside,inside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mbny2 mbny2

You may have to apply this to the inside interface instead of global:

class-map bypass

  match access-list bypass

policy-map inside_policy

  class bypass

   set connection advanced-options tcp-state-bypass

service-policy inside_policy interface inside

Additionally, a simpler solution would be to setup the router at 1.3 as the default gateway, then you won't have to worry about asymmetric routing for your internal network. All traffic through the ASA at that point would return through the ASA.

Regards,

Mike


0 Helpful

jawad-mukhtar
Level 4
Level 4

‎08-06-2013 01:36 PM

Something is confusing
What IP are you using for P2P Router A(IP WAN) and other RouterB(IP WAN)> 2600 series Router
Jawad
0 Helpful
Customers Also Viewed These Support Documents