Re: Routing to another network via an ASA 5505

FACTORY909 · ‎02-25-2014

So heres a run down of my setup.

Basically what I am wanting to do is, while I am on the 10.0.0.0/24 network, I want to reach the 192.168.195.0/24 network, but all send all traffic out through the sonicwall. Vice versa on the 192.168.195.0 network, I would like to reach the 10.0.0.0 network. I added a route to the sonicwall that basically says and traffic for 192.168.195.0/24 send it to 10.0.0.9. On the ASA I added a route that says any traffic for 10.0.0.0/24 send to 192.168.195.9. Am I missing anything here? The 192.168.195.0 network is "inside" interface on the ASA and that was in my route command.

John Blakley · ‎02-25-2014

Paper and pen?!

How are you testing the connection? On the ASA, can you ping 192.168.195.9? Can you ping 10.0.0.9 from the ASA? When you ping, source it like "ping inside 10.0.0.9" and see what happens. From the sounds of it, it sounds like you have everything correct.

So there are a couple of things to rule out:

1. Do you have a firewall rule on the SW that blocks icmp internal?

2. Do you have an acl on the inside interface of the ASA?

3. Do you have any security features like acls, zbfw, or cbac on the router in between?

4. Are the switches in between L3, and if so, do they have any acls?

What version of ios are you running on the ASA? And this is definitely connected this way and not vpn?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

FACTORY909 · ‎02-25-2014

First off, thank you for the reply.

From the ASA I can ping 10.0.0.anything. From a workstation on the 192.168.195. side I can not ping nor access any of the services on the 10.0.0. side. From the 10.0.0. side I can not ping anything or access any services.

1. No rules that are blocking ICMP on the "lan" interface.

2. No ACLs that would affect this

3. No

4. No L3 switches

It is definitely connected as shown. 8.2.(5)

FACTORY909 · ‎02-25-2014

Ok I've got an update. From the 10.0.0.0 side I can ping the 192.168.195.9 interface and also ping the ASA, but nothing else.

On the 192.168.195.0 side, if I add the route for 10.0.0.0/24 to a desktop, I can ping anything on the 10.0.0.0 network all day long.

So...something is wrong on my ASA. I used this command:

route inside 10.0.0.0 255.255.255.0 192.168.195.9 1

John Blakley · ‎02-25-2014

John,

What is the default route that the workstations use?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

FACTORY909 · ‎02-25-2014

On the 192.168.195.0 side they use 192.168.195.2 (ASA) as their default route. This is handed down via dhcp from one of our domain controllers.

On the 10.0.0.0 side they use 10.0.0.1 (Sonicwall) as their default route.

John Blakley · ‎02-25-2014

John,

Have you enabled "same-security-traffic intra-interface" on the ASA? You may need that since it's routing out of the same interface that it's receiving the traffic on. I'm not sure if there's something like that on your SW though.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

FACTORY909 · ‎02-25-2014

Yes sir, it has been enabled since we turned the ASA on. Weirdness is all I can say. I can build, blow up, rebuild this all day long with Packet Tracer, but its not wanting to work today in real life!

Any other ideas to check?

John Blakley · ‎02-25-2014

What happens if you change the default gateway on one workstation to point to the router? Does it work then? If so, try setting up a capture on the ASA:

access-list capture permit ip host host

capture lan interface inside access-list capture

Post the capture here:

show capture lan

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

FACTORY909 · ‎02-25-2014

If on a 192.168.195.0 workstation I change the gateway to that 192.168.195.9 router everything works fine. From the 192.168.195.0 side.

Do I still need to do a capture or can I wireshark it from the actual workstation?

FACTORY909 · ‎02-25-2014

Ok I added a route to a workstation, ran a wireshark capture..

192.168.195.11 10.0.0.30 echo request

10.0.0.30 192.168.195.11 Echo reply

I opened up that packet and sure enough can see the Router that is sitting at 192.168.195.9/10.0.0.9.

Jon Marshall · ‎02-25-2014

John

Can i just ask -

1) what model is the router

2) if it is a Cisco is there any reason why you don't just use PBR on the router rather than bounce back off the firewalls. Obviously you would need to set the default gateway of the clients to the relevant router interface.

Do you also need to firewall traffic between internal subnets ?

Jon

FACTORY909 · ‎02-25-2014

see below

John Blakley · ‎02-25-2014

John,

Doing a capture on the firewall directly will tell us more about how the traffic is being processed.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

FACTORY909 · ‎02-25-2014

jon.marshall: Never had any dealings with PBR. The router is an 1841, and we are using the ASA for our 8 VLANs and is there is a few ackle's between a few of the VLANs.

john.blakley: Ok I will get a good capture tomorrow.

I was Googling around and found this:

http://www.packetu.com/2011/10/17/the-woes-of-using-an-asa-as-a-default-gateway/