We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Cisco ASA redirects

Medium Priority
2,276 Views
Last Modified: 2013-11-16
I know that a Cisco PIX is NOT able to do a redirect, i mean, to route a packet back to the same interface it came from, but can a Cisco ASA do it ? I desperately need it to do it. Why is it not able to do it?

I know a firewall is not a router, but it should have certain routing capabilities to centralize all traffic.

Please help !!!
Comment
Watch Question

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
PIX version 7.0 and the ASA will do it.
little PIX 501/506 does not support ver 7.0
515e and bigger only

It's called "hairpinning", using the following command:
   same-security-traffic permit intra-interface

Example configuration:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Author

Commented:
Thanks for the answer, lrmoore.

I think i saw a similar checkbox in ASDM, allowing traffic between same security level interfaces. I did mark it .

I am trying to route traffic from any "inside" client to other corporate sites back to the inside through the Firewall, but i am getting "Deny inbound connection from 192.168.1.x inside to 192.168.8.x inside" messages in the syslog.

Do i need to configure any access rule or NAT rule? The problem is that it wont let me configure a rule from inside to inside.

Here's the situation:

                           Inside
192.168.1.0 ------------------------------ 192.168.1.101   Cisco ASA   Public IP ------------ Internet
                            |
                            |
                            |
                      192.168.1.201 Router to WAN
                            |
                            |
                            |
                         WAN sites (192.168.8.0 for ex)

I want my inside hosts to have ASA's internal IP as their default gateway, and the ASA to route the WAN traffic back to the WAN router  through inside interface.

Can i do it? I hope i can?

Thanks





 
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
That you still can't do.
You have little choice other than to set the WAN router's default pointing to the ASA and point your internal clients to the WAN router. This would be your best option.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
lrmoore,

i have 4 physical ports in my ASA 5510, but i only see 3 ethernet ports in ASDM. I use inside, outside and DMZ.

Would it work if i would have one more available port and connect it to the inside also ?

Can i purchase an extra license to have one more port available? (which i already physically have)

thanks
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
My advice - use the simple solution.
If you have 4 physical ports, you should be able to see them/use them all
I agree with lrmoore, the simplest solution is to just change the d.g. of the internal client to point to the WAN router.
If you don't want to do that and money is not an issue then purchase the ASA license upgrade so you can have another DMZ. Now when you have that done, you can transfer the WAN router connection to the new DMZ and do the following on the ASA:

1) initialize the new interface by assigning it an interface name, sec level and ip address
2) add some static or nat rule depending on the flow of traffic
3) create access-rules
4) add route for the wan sites on the ASA

Hope it helps.

Author

Commented:
Well, i have to accept it is not possible, but i still try to figure out why Cisco engineers don't want the PIX and ASA to do such a simple thing, when they are already capable of doing static routing, and even OSPF!.

Thank you guys, anyway.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.