jms220
asked on
Problems with Default Route on ASA 5520
Hi,
We have a bit of a problem - nothing too major that's causing us downtime but just a headache. On our network we have a Cisco ASA 5520. We have the gateway of last resort set to the IP address of our BGP router as we have several ISPs. The issue is that the IP address of the gateway (BGP Router) is the first usable address of the IP address block that we lease from this ISP. We have several other addresses from this block NAT'd through the ASA. Basically it looks like this:
route 0.0.0.0 0.0.0.0 199.1XX.170.1 1
The problem is that from behind the ASA we cannot access any of the servers on this IP block by their external IP. Users outside our network can reach the servers and we can reach them fromtheir internal addresses so there's no real buisiness issue for us yet but I'd like to get this resolved. Any help would be appreciated. I will be glad to provide any additional info needed. Thank You.
We have a bit of a problem - nothing too major that's causing us downtime but just a headache. On our network we have a Cisco ASA 5520. We have the gateway of last resort set to the IP address of our BGP router as we have several ISPs. The issue is that the IP address of the gateway (BGP Router) is the first usable address of the IP address block that we lease from this ISP. We have several other addresses from this block NAT'd through the ASA. Basically it looks like this:
route 0.0.0.0 0.0.0.0 199.1XX.170.1 1
The problem is that from behind the ASA we cannot access any of the servers on this IP block by their external IP. Users outside our network can reach the servers and we can reach them fromtheir internal addresses so there's no real buisiness issue for us yet but I'd like to get this resolved. Any help would be appreciated. I will be glad to provide any additional info needed. Thank You.
You will also need a NAT command for it like this:
static(inside,inside) xxx xxx
static(inside,inside) xxx xxx
ASKER
StrifeJester -
Thanks for your help - the same-security-traffic permit intra-interface command seems like the solution. I just have one question- what is the new static NAT entry for?
Thanks for your help - the same-security-traffic permit intra-interface command seems like the solution. I just have one question- what is the new static NAT entry for?
You have outside nat rules created correct? You have to create the same rule on the inside to create the hairpin.
Lets look at the nat statement:
static (real_interface,mapped_int
So static (inside,inside) External_IP Internal_IP netmask Mask
Or static (inside,inside) 1.1.1.1 192.168.1.2 netmask 255.255.255.555
Now that is for the whole IP not specific services.
This tells it a packet that shows up with a destination of the external IP on the internal interface needs to get sent right back out the same interface to the interal IP. That is why you need the same-secrurity permit intra-interface so that it is allowed to do that.
Lets look at the nat statement:
static (real_interface,mapped_int
So static (inside,inside) External_IP Internal_IP netmask Mask
Or static (inside,inside) 1.1.1.1 192.168.1.2 netmask 255.255.255.555
Now that is for the whole IP not specific services.
This tells it a packet that shows up with a destination of the external IP on the internal interface needs to get sent right back out the same interface to the interal IP. That is why you need the same-secrurity permit intra-interface so that it is allowed to do that.
ASKER
Thanks for clarifying but yeah that dosen't seen to be working. I did create the inside NAT rules. It's funny when I log into the BGP router (the one at the gateway adddess (199.1XX.170.1) I can ping any address on th IP block as well as any other IP on the inteenet that I choose. I have no idea why this is happening.
ASKER
Even stranger - I realized that I can ping the gateway address. But nothing else on that subnet.
From the BGP router you should be able to ping anything on the same public IP subnet because there is no NAT mucking it up as far as its concerned. If i am understanding you correctly. The reason you can ping the gateway address from inside is that its taking a hop out of the ASA then coming back so NAT is working properly. Here is a post I found on cisco's forums that talks about hairpinning with the ASA:
https://supportforums.cisco.com/thread/1003238;jsessionid=62D18A0C6356F1C56BF4E39628370645.node0
Maybe there are some steps you can follow in here that will help.
https://supportforums.cisco.com/thread/1003238;jsessionid=62D18A0C6356F1C56BF4E39628370645.node0
Maybe there are some steps you can follow in here that will help.
Do you have the ASDM installed? If so you can try to use the packet tracer but i don't recall if it lets you choose the same interface for both sides of a trace.
ASKER
I do have ASDM installed. Yeah I was aware that on the BGP router I could reach any external address out there. What I though was so weird is that I could ping the BGP router form the ASA (The BGP router being the first address in this leased IP block) but nothing else in that range. I'll check out the info you posted. I think there may be an ACL set somewhere in here that I'm unaware ofor maybe an asymmetriclat routing issue. I appreciate all the help you've given me on this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help. I do beleive this is the correct answer. In your case from what I read on CIscos site NO version of the PIX software supports this. Ithink it only exists on ASA - but don't qutoe me on that. I'm in the same situation it's production enviromnent. Also were running 7.2(3) which from what I've seen has numerouds vulnerabilities and some bugs. I think a code upgrade may be in order. Once Again Thank You I really don't see any other solution ti could be. And it makes sense - every other time I have delt with leased IP blocks from our ISP the address we usd as our gateway was neveer on the same network as the leased IPs so I never encoountered this problem before.
same-security-traffic permit intra-interface
This should do what is needed here is a cisco doc that explains it more.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814