Cisco ASA redirects

I know that a Cisco PIX is NOT able to do a redirect, i mean, to route a packet back to the same interface it came from, but can a Cisco ASA do it ? I desperately need it to do it. Why is it not able to do it?

I know a firewall is not a router, but it should have certain routing capabilities to centralize all traffic.

Please help !!!
llandajuelaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
PIX version 7.0 and the ASA will do it.
little PIX 501/506 does not support ver 7.0
515e and bigger only

It's called "hairpinning", using the following command:
   same-security-traffic permit intra-interface

Example configuration:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

0
llandajuelaAuthor Commented:
Thanks for the answer, lrmoore.

I think i saw a similar checkbox in ASDM, allowing traffic between same security level interfaces. I did mark it .

I am trying to route traffic from any "inside" client to other corporate sites back to the inside through the Firewall, but i am getting "Deny inbound connection from 192.168.1.x inside to 192.168.8.x inside" messages in the syslog.

Do i need to configure any access rule or NAT rule? The problem is that it wont let me configure a rule from inside to inside.

Here's the situation:

                           Inside
192.168.1.0 ------------------------------ 192.168.1.101   Cisco ASA   Public IP ------------ Internet
                            |
                            |
                            |
                      192.168.1.201 Router to WAN
                            |
                            |
                            |
                         WAN sites (192.168.8.0 for ex)

I want my inside hosts to have ASA's internal IP as their default gateway, and the ASA to route the WAN traffic back to the WAN router  through inside interface.

Can i do it? I hope i can?

Thanks





 
0
lrmooreCommented:
That you still can't do.
You have little choice other than to set the WAN router's default pointing to the ASA and point your internal clients to the WAN router. This would be your best option.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

llandajuelaAuthor Commented:
lrmoore,

i have 4 physical ports in my ASA 5510, but i only see 3 ethernet ports in ASDM. I use inside, outside and DMZ.

Would it work if i would have one more available port and connect it to the inside also ?

Can i purchase an extra license to have one more port available? (which i already physically have)

thanks
0
lrmooreCommented:
My advice - use the simple solution.
If you have 4 physical ports, you should be able to see them/use them all
0
stressedout2004Commented:
I agree with lrmoore, the simplest solution is to just change the d.g. of the internal client to point to the WAN router.
If you don't want to do that and money is not an issue then purchase the ASA license upgrade so you can have another DMZ. Now when you have that done, you can transfer the WAN router connection to the new DMZ and do the following on the ASA:

1) initialize the new interface by assigning it an interface name, sec level and ip address
2) add some static or nat rule depending on the flow of traffic
3) create access-rules
4) add route for the wan sites on the ASA

Hope it helps.
0
llandajuelaAuthor Commented:
Well, i have to accept it is not possible, but i still try to figure out why Cisco engineers don't want the PIX and ASA to do such a simple thing, when they are already capable of doing static routing, and even OSPF!.

Thank you guys, anyway.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.