Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1682
Views
0
Helpful
9
Replies

Nat Rule in ASA 5505

Go to solution
ken.hoover1
Level 1
Level 1

‎03-29-2016 07:23 AM - edited ‎03-08-2019 05:08 AM

I have been trying to solve this on another discussion, but have not received further response. I am setting up virtual servers through stacked HP 2920 switches. These servers are on VLANs configured on the switch.

During the other discussion, I added a static route as suggested, and it kept taking my network servers down.  On the servers that will house the virtual machines, there is a feature called iLO. I figure if I can't reach the iLO, I will not be able to reach any of the virtual machine that will be installed.

I have attached the running config of the ASA, the HP Switch, and the results of a packet trace between my office computer and the iLO, as well as the Dynamic Rule that is dropping the packets.

I know there is probably a simple solution that I am not seeing. Any further assistance would be greatly appreciated.

Labels:
cg-asa_firewall_running_config_1.txt
Preview file
9 KB
packettracer_4.jpg
Preview file
86 KB
natrule2.jpg
Preview file
130 KB
natrule_1.jpg
Preview file
47 KB
cgc-core_running-config_1.txt
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Paul Chapman
Level 4
Level 4
In response to ken.hoover1

‎04-03-2016 03:51 PM

Hi Ken -

I'd like to say this is an unusual problem, but it's not.  You are trying to "bounce" traffic off an ASA interface.  Generally this is not allowed without "same-security-traffic permit intra-interface" and some custom rules and NAT exemptions.  Even if you do get it to work it is a bad idea.  Typically you end up dropping the traffic due to asymmetric routing (shown in diagram below).

If you are somehow able to successfully send from the workstation to the L3 switch via the ASA, the return traffic will always be direct from the L3 switch to the workstation.  Since the ASA is not seeing bidirectional traffic (i.e. full TCP handshake), it will drop the remaining traffic stream.

The recommended way to deal with this is to use your L3 switch as your default gateway for all machines on the 10.10.0.0/24 network.  On the L3 switch install a default route (0.0.0.0/0) that points to the ASA.  On the ASA you need routes to the "Other Nets", which you have already installed.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
sachintambat
Level 1
Level 1

‎03-29-2016 10:05 PM

Hi,

I think both the vlan is on same switch, so firewall on comes to in picture.

Check the tag and untag port from which you are trying to ping ILO.

0 Helpful

Go to solution
ken.hoover1
Level 1
Level 1
In response to sachintambat

‎03-30-2016 11:11 AM

Yes the VLANs are configured on the switch (10.10.0.1) . The network connects to the switch and the network switch is connected to the firewall (10.10.0.3).  The switch with the vLANs is L3 and has routing enabled. 

The static NAT route that I entered (and which worked for the iLO)  was:

static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

This did work, but caused the Poller on the main network to crash. As soon as I removed this NAT rule, the Poller stopped crashing.

as the attachments show from my previous post, when doing a packet trace, Everything is good until the packet reaches the Dynamic NAT rule, then it is dropped.  If I can figure out what I need to do to the Dynamic Rule to make it work, my problem is solved.

0 Helpful

Go to solution
Paul Chapman
Level 4
Level 4
In response to ken.hoover1

‎04-03-2016 03:51 PM

Hi Ken -

I'd like to say this is an unusual problem, but it's not.  You are trying to "bounce" traffic off an ASA interface.  Generally this is not allowed without "same-security-traffic permit intra-interface" and some custom rules and NAT exemptions.  Even if you do get it to work it is a bad idea.  Typically you end up dropping the traffic due to asymmetric routing (shown in diagram below).

If you are somehow able to successfully send from the workstation to the L3 switch via the ASA, the return traffic will always be direct from the L3 switch to the workstation.  Since the ASA is not seeing bidirectional traffic (i.e. full TCP handshake), it will drop the remaining traffic stream.

The recommended way to deal with this is to use your L3 switch as your default gateway for all machines on the 10.10.0.0/24 network.  On the L3 switch install a default route (0.0.0.0/0) that points to the ASA.  On the ASA you need routes to the "Other Nets", which you have already installed.

0 Helpful

Go to solution
ken.hoover1
Level 1
Level 1
In response to Paul Chapman

‎04-04-2016 11:26 AM

I have a route on the L3 switch of 0.0.0.0 .  On the ASA, how would the routes to the "Other Nets" be configured?

0 Helpful

Go to solution
Paul Chapman
Level 4
Level 4
In response to ken.hoover1

‎04-04-2016 12:16 PM

Hi Ken -

I looked at the configuration you posted and you have already created them.

PSC

0 Helpful

Go to solution
ken.hoover1
Level 1
Level 1
In response to Paul Chapman

‎04-04-2016 12:54 PM

So, I am assuming if the routes on the ASA and the routes on the Switch are configured correctly, I must have the network connected to the switch via the wrong port.

0 Helpful

Go to solution
ken.hoover1
Level 1
Level 1
In response to Paul Chapman

‎04-04-2016 01:18 PM

That's it!!  I have not been in IT for 12 years. I knew that it was something small that I overlooked. I added a gateway to the other computers pointing to the switch, and I can now access what I have set up so far.  Thank you and all who answered me on this forum for all the great assistance you have given me.  You guys are fantastic!!

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎03-29-2016 10:55 PM

Can you maybe add a pic of what you are trying to set up and the subnets, and what goes where. I am having a hard time to conceptualize what you are trying to achive.  put in where everything is in relation to your ASA's interfaces. cheers

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
ken.hoover1
Level 1
Level 1
In response to Dennis Mink

‎04-03-2016 01:08 PM

Here is what I am trying to accomplish. The previous post includes the other files I have uploaded.

network_new_2.pdf
Preview file
54 KB
0 Helpful
Top