pedalhead
asked on
Cisco ASA 5510 blocking internal traffic
I am trying to understand the ASA. I have seen two ASAs, a 5505 and a 5510, that block traffic when there are multiple subnets behind the internal interface. For example, the internal interface of the ASA is configured for 192.168.0.0/24. There is another router (192.168.0.254) on the subnet that acts as a gateway to another subnet, 192.168.1.0. It is possible to ping between subnets, but all other traffic fails. Why would this be? What information can I provide? All help is greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Exactly, the information I needed, and quick! Thanks.
The thing to remember here, is that the ASA is a firewall first, last, and always. It wants all traffic to be part of an established TCP session. Using it as a router breaks that paradigm.
Session initiates: Host A -> ASA -> Router -> Host B
Traffic returns: Host B -> Router -> Host A
Session blocked: Host A -> ASA (is not aware of the established session)
Or
Session initiates: Host B -> Router -> Host A
Return traffic blocked: Host A -> ASA (Never saw the original SYN packet)