Two networks behind ASA - Page 2

sandrabacic · ‎12-06-2011

Dear all,

I would appreciate your help with configuring ASA!

At first ASA was configured with inside (192.168.1.0 /24) and outside (NAT, VPN). Default gateway 192.168.1.1.

Recently new network has been added (172.0.0.0 /24) with default gateway 172.0.0.254. This network accesses the Internet via "OTHER ROUTER".

ASA has been configured with statis route 172.0.0.0 255.255.255.0 192.168.1.2. However, two networks are not able to communicate.

Could you please check this out and help me understanding the case? Thanks a lot!

vipinrajrc · ‎12-06-2011

Hi

could you please give what is the importance of "same-security-traffic permit intra-interface" here.

Thanks

Vipin

Thanks and Regards, Vipin

cadet alain · ‎12-06-2011

Hi Vipin,

yep you're right as 192.168.1.0 network is directly connected the traffic isn't going to hairpin through the ASA.

I badly and too quickly read the post.

Regards.

Alain

Don't forget to rate helpful posts.

vipinrajrc · ‎12-06-2011

Hi,

So what can be the possible solution here?

thanks

Vipin

Thanks and Regards, Vipin

sandrabacic · ‎12-06-2011

Hi Alain,

Have similar environment as on example http://blogg.kvistofta.nu/cisco-asa-hairpinning/.

Have added:

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,inside) 172.0.0.0 172.0.0.0 netmask 255.255.255.0

same-security-traffic permit inter-interface

Maybe I still need ACL?
access-list acl_inside extended permit ip 192.168.1.0 255.255.255.0 172.0.0.0 255.255.255.0
access-list acl_inside extended permit ip 172.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_inside extended deny ip any any
!
access-group acl_inside in interface inside

Well, it is easy to play in testing environment, but cannot play around with productive (on remote location). That is why I appreciate your help all!

cadet alain · ‎12-06-2011

Hi sandra,

Finally if I understand correctly then my previous assumption was correct as the inside hosts have only a default gateway pointing to the ASA inside interface and so you have hairpinning and indeed your solution could work but with intra-interface as traffic is entering and leaving the same interface. But you could also try this instead without disrupting the network:

what about putting a static route to 172.0.0.0 subnet on inside host:

route add 172.0.0.0 mask 255.255.255.0 192.168.1.2 permanent

Regards.

Alain

Don't forget to rate helpful posts.

benny.jr · ‎12-06-2011

Also, another option will be to set up trunking on the inside ASA interface and set ASA interface as default gw for both networks.

cadet alain · ‎12-06-2011

Hi,

Can the OP try to ping 172.0.0.10 from a machine into ASA inside subnet and do a traceroute also.

Can we also sniff on 172.0.0.10 and the inside machine we're trying to reach and post the capture file as well as ipconfig and arp cache output from both hosts.

Regards.

Alain

Don't forget to rate helpful posts.

sandrabacic · ‎12-06-2011

Hi,

Will set this evening some of suggested configuration; will keep you informed Thanks a lot !