07-22-2009 06:35 AM - edited 03-06-2019 06:53 AM
i have an odd problem with routing traffic between two ASAs in two different locations. i have two locations with a site-to-site T1 in between. in both locations i have ASA5510s and on both ASAs i have following interfaces:
outside -> external interface
inside -> LAN
ptp -> interface for site-to-site T1
location A has LAN with subnet 192.168.0.0 /24 and location B has LAN with subnet 10.10.20.0 /24. i'm at location A and i can reach every host at location B. also hosts from location B can reach hosts at location A so i know the routing is working. however at location A i have a host 192.168.0.19 that needs to talk to host 10.10.20.19 at location B on UDP port 50795 and that traffic never gets accross. there are no access lists that would block the traffic. the really odd part is that i can capture packets on inside interface that match the criteria and see that host 192.168.0.19 is sending packets to 10.10.20.19, but when i try and capture packets on the ptp interface i see nothing BUT (!!!) if i try and capture packets on the outside interface i see them!!!
here is my access list that i use to capture traffic:
access-list cap2 line 1 extended permit udp any host 192.168.0.19 eq 50795
access-list cap2 line 2 extended permit udp host 192.168.0.19 eq 50795 any
here is my capture on inside interface (location A):
capture cap2 type raw-data access-list cap2 interface inside real-time
1: 00:57:34.929822 192.168.0.19.50795 > 10.10.20.19.50795: udp 15
2: 00:57:44.929990 192.168.0.19.50795 > 10.10.20.19.50795: udp 15
3: 00:57:54.929868 192.168.0.19.50795 > 10.10.20.19.50795: udp 15
here is my capture on outside interface (location A):
capture cap3 type raw-data access-list cap3 interface outside real-time
1: 00:57:14.929395 192.168.0.19.50795 > 10.10.20.19.50795: udp 15
2: 00:57:24.929502 192.168.0.19.50795 > 10.10.20.19.50795: udp 15
3: 00:57:34.929853 192.168.0.19.50795 > 10.10.20.19.50795: udp 15
the exact same thing is happening on location B. i can see the capture on inside interface and verfy that host 10.10.20.19 is sending packets to host 192.168.0.19 on port 50795 but i don't capture any of these packets on the ptp interface - instead i caputre them on the outside interface! both hosts 192.168.0.19 and 10.10.20.19 and Avaya phone systems so i cannot try sending other type of traffic between two hosts but i can see that there is a lot of UDP traffic between 192.168.0.19 and 10.10.20.18 (which is a voicemail server) so i know that 192.168.0.19 can reach location B but for some reason traffic to 10.10.20.19 is sent to the outside interface.
any help, suggestions or comments and welcomed as i have been working on this for the last two days and i can't get my head around this.
thanks.
07-22-2009 08:43 AM
Can you post your route statements and routing table?
sh run route
sh route
*Edit* - Can you also post your static nat statements?
sh run static
HTH,
John
07-22-2009 09:32 AM
here is the info:
location A:
# sh route
O 10.1.3.0 255.255.255.252 [110/75] via 10.1.1.2, 28:02:43, ptp
O 10.1.2.0 255.255.255.252 [110/74] via 10.1.1.2, 28:02:43, ptp
C 10.1.1.0 255.255.255.252 is directly connected, ptp
O 10.10.20.0 255.255.255.0 [110/85] via 10.1.1.2, 28:02:43, ptp
C 192.168.0.0 255.255.255.0 is directly connected, inside
C
S* 0.0.0.0 0.0.0.0 [1/0] via
# sh run route
route outside 0.0.0.0 0.0.0.0
# sh run static
location B:
# sh route
C 10.1.3.0 255.255.255.252 is directly connected, ptp
O 10.1.2.0 255.255.255.252 [110/74] via 10.1.3.1, 28:03:28, ptp
O 10.1.1.0 255.255.255.252 [110/75] via 10.1.3.1, 28:03:28, ptp
C 10.10.20.0 255.255.255.0 is directly connected, inside
O 192.168.0.0 255.255.255.0 [110/85] via 10.1.3.1, 28:03:29, ptp
C
S* 0.0.0.0 0.0.0.0 [1/0] via
# sh run route
route outside 0.0.0.0 0.0.0.0
# sh run static
thanks.
07-22-2009 09:47 AM
I don't see anything "wrong" with your routing table. I'm assuming that you don't have any static nat statements in place.
You can try to put a host route for that host:
On Router A:
route ptp 10.10.20.19 255.255.255.255
On Router B:
route ptp 192.168.0.19 255.255.255.255
Is there a device between the two ASAs? What's at 10.1.1.2 and 10.1.3.1?
HTH,
John
07-22-2009 10:16 AM
there are two routers in between two ASAs used to "terminate" site-to-site T1s on each end. but there is nothing on those routers that would preven traffic from going across. there are no static routes and no access-lists. and since all of my routing is done on subnet basis (no host to host routes) i don't get it why would traffic from 192.168.0.19 to 10.10.20.18 be sent through correct interface and traffic from 192.168.0.19 to 10.10.20.19 be sent somewhere else. to make things worst all this worked until i had power outage at location B....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide