11-30-2012 04:45 AM - edited 03-07-2019 10:20 AM
hi
I've configured an ASA 5510 FW with asa901-k8 ios. on it's "inside" port there is 10.90.0.0 network. there is another network (10.190.0.0) in my system that can be reached via another router which has 10.90.0.253 ip address. when a client in the 10.90 network wants to reach the 10.190 network the fw redirects the request to the router (10.90.0.253) because the fw is my gateway. there is no problem so far... but... while i can ping and traceroute a 10.190... user from 10.90... network, i can't use any non-icmp appliactions. for example i can't use rdp programs, http web interfaces of some devices on remote network (10.190.0.0). what can cause that? is there any rule in asa that blocks these protocols?
thanks...
12-01-2012 03:44 PM
Try to RDP with the IP address and not by DNS and do the same with the web. If you are doing it by DNS then its a domain issue.
12-01-2012 07:33 PM
Hi,
Is there is any ACL on router interfaces that may be blocking? Does on local network everything work? Post here config of your router. We can help much better.
Sent from Cisco Technical Support iPhone App
12-02-2012 06:13 PM
From my understanding, when a client in the 10.90 network wants to reach the 10.190 network, traffic flow will be:
10.90 client (possibly TCP SYN) -> firewall -> router -> 10.190 client.
but 10.190 client will return traffic in this direction:
10.190 client (possibly TCP SYN ACK)-> router -> 10.90 client.
at this point, firewall see asymmetrical TCP connection which firewall try to protects the network by denying further raffic (denying TCP ACK).
here is a link to help you understand ASA asymmetric routing proction:
https://supportforums.cisco.com/docs/DOC-14491
to temporarily workaround this until the asymmetry can be fixed, enable TCP State Bypass:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
12-02-2012 10:41 PM
Please remember this is bad design. A user VLAN should have only one gateway. You could place the router in another firewall zone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide