Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
4
Replies

Routing between ASA's

AdmShatan
Level 1
Level 1

‎01-20-2012 01:15 PM - edited ‎03-07-2019 04:28 AM

network.PNG

I have a simple network pictured above.  The Firewalls are ASA5505's.

I have it setup just like the picture.  THe left ASA has an ISP and is the default gateway of the 10.10.4.0 net. 

The right ASA is the default gatewy for the 172.16.7.0 net, and has a seperate ISP connection.

I wanted to connect the networks(I had the oppurtunity), so I created a new interface on the right ASA and gave it an IP on the 10.10.4.0 net.

I created the same-sec intra and inter commands, and created a static route statment on the left ASA.

The switches are dumb(No layer 2 or layer 3 configs)

I can ping across, anhy host to any host.  Both ways, no questions asked. 

I cannot get any other service to work, no RDP, no CIFS, SAMBA, HTTP, no nothing.  I have no idea what I may be missing.

Labels:
0 Helpful
4 Replies 4

AdmShatan
Level 1
Level 1

‎01-20-2012 01:17 PM

I should note that the ASA's have no access-lists configured for any interface, just the defaults.  The only access lists configure are the outside_acces_in lists for NAT and firewall purposes.

I have even gone through and added ip any any rules on all interfaces with no luck.

0 Helpful

lgijssel
Level 9
Level 9
In response to AdmShatan

‎01-20-2012 02:43 PM

Based on what little information you provided, my best guess is that the traffic might be subject to nat in any direction on any of the two ASA's.

You probably have already found the link below which covers the topic quite extensively from a troubleshooting angle:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#intro

regards,

Leo

0 Helpful

manish arora
Level 6
Level 6
In response to AdmShatan

‎01-20-2012 02:44 PM

Hi Arvinder,

Can you please post the out of the following from both the Firewalls :-

sh run interface

sh route

sh int ip bri

Manish

0 Helpful

AdmShatan
Level 1
Level 1

‎05-12-2012 07:24 AM

Just want to help answer my posts. I found the answer for this. What's happening is that the ASA see's the TCP traffic going there, but the router sends it straight to the host on the return, therefore, the ASA doesn't see the correct tcp sequence, and kills the connection.

I worked around this using a feature called TCP-State-Bypass. You can find more details on it using this doc:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf

Just want to make sure for those googling, that there is an answer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card