Link to home
Create AccountLog in
Avatar of jms220
jms220

asked on

Problems with Default Route on ASA 5520

Hi,
We have a bit of a problem - nothing too major that's causing us downtime but just a headache.  On our network we have a Cisco ASA 5520.  We have the gateway of last resort set to the IP address of our BGP router as we have several ISPs.  The issue is that the IP address of the gateway (BGP Router) is the first usable address of the IP address block that we lease from this ISP.  We have several other addresses from this block NAT'd through the ASA.  Basically it looks like this:

route 0.0.0.0  0.0.0.0  199.1XX.170.1 1

The problem is that from behind the ASA we cannot access any of the servers on this IP block by their external IP.  Users outside our network can reach the servers and we can reach them fromtheir internal addresses so there's no real buisiness issue for us yet but I'd like to get this resolved.  Any help would be appreciated.  I will be glad to provide any additional info needed.  Thank You.
Avatar of Justin Ellenbecker
Justin Ellenbecker
Flag of United States of America image

With hairpinning they say it can work using this command in the ASA:

same-security-traffic permit intra-interface

This should do what is needed here is a cisco doc that explains it more.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814
You will also need a NAT command for it like this:

static(inside,inside) xxx xxx
Avatar of jms220
jms220

ASKER

StrifeJester -
Thanks for your help - the same-security-traffic permit intra-interface command seems like the solution.  I just have one question- what is the new static NAT entry for?
You have outside nat rules created correct?  You have to create the same rule on the inside to create the hairpin.

Lets look at the nat statement:

static (real_interface,mapped_interface) mapped_ip real_ip netmask mask

So static (inside,inside) External_IP Internal_IP netmask Mask
Or static (inside,inside) 1.1.1.1 192.168.1.2 netmask 255.255.255.555
Now that is for the whole IP not specific services.

This tells it a packet that shows up with a destination of the external IP on the internal interface needs to get sent right back out the same interface to the interal IP.  That is why you need the same-secrurity permit intra-interface so that it is allowed to do that.
Avatar of jms220

ASKER

Thanks for clarifying but yeah that dosen't seen to be working. I did create the inside NAT rules. It's funny when I log into the BGP router (the one at the gateway adddess (199.1XX.170.1) I can ping any address on th IP block as well as any other IP on the inteenet that I choose.  I have no idea why this is happening.
Avatar of jms220

ASKER

Even stranger - I realized that I can ping the gateway address.  But nothing else on that subnet.
From the BGP router you should be able to ping anything on the same public IP subnet because there is no NAT mucking it up as far as its concerned.  If i am understanding you correctly.  The reason you can ping the gateway address from inside is that its taking a hop out of the ASA then coming back so NAT is working properly.  Here is a post I found on cisco's forums that  talks about hairpinning with the ASA:

https://supportforums.cisco.com/thread/1003238;jsessionid=62D18A0C6356F1C56BF4E39628370645.node0

Maybe there are some steps you can follow in here that will help.
Do you have the ASDM installed?  If so you can try to use the packet tracer but i don't recall if it lets you choose the same interface for both sides of a trace.
Avatar of jms220

ASKER

I do have ASDM installed. Yeah I was aware that on the BGP router I could reach any external address out there.  What I though was so weird is that I could ping the BGP router form the ASA (The BGP router being the first address in this leased IP block) but nothing else in that range.  I'll check out the info you posted.  I think there may be an ACL set somewhere in here that I'm unaware ofor maybe an asymmetriclat routing issue.  I appreciate all the help you've given me on this.
ASKER CERTIFIED SOLUTION
Avatar of Justin Ellenbecker
Justin Ellenbecker
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of jms220

ASKER

Thanks for the help.  I do beleive this is the correct answer.  In your case from what I read on CIscos site NO version of the PIX software supports this.  Ithink it only exists on ASA - but don't qutoe me on that.  I'm in the same situation it's production enviromnent.  Also were running 7.2(3) which from what I've seen has numerouds vulnerabilities and some bugs.  I think a code upgrade may be in order.  Once Again Thank You I really don't see any other solution ti could be.  And it makes sense - every other time I have delt with leased IP blocks from our ISP the address we usd as our gateway was neveer on the same network as the leased IPs so I never encoountered this problem before.