Link to home
Create AccountLog in
Avatar of pedalhead
pedalhead

asked on

Cisco ASA 5510 blocking internal traffic

I am trying to understand the ASA. I have seen two ASAs, a 5505 and a 5510, that block traffic when there are multiple subnets behind the internal interface. For example, the internal interface of the ASA is configured for 192.168.0.0/24. There is another router (192.168.0.254) on the subnet that acts as a gateway to another subnet, 192.168.1.0. It is possible to ping between subnets, but all other traffic fails. Why would this be? What information can I provide? All help is greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of asavener
I've seen this problem when the address of the ASA is used as the default gateway, instead of the internal router.

The thing to remember here, is that the ASA is a firewall first, last, and always.  It wants all traffic to be part of an established TCP session.  Using it as a router breaks that paradigm.


Session initiates:  Host A -> ASA -> Router -> Host B
Traffic returns:  Host B -> Router -> Host A
Session blocked:  Host A -> ASA (is not aware of the established session)

Or

Session initiates:  Host B -> Router -> Host A
Return traffic blocked:  Host A -> ASA (Never saw the original SYN packet)
Avatar of pedalhead
pedalhead

ASKER

Exactly, the information I needed, and quick! Thanks.