Avatar of jms220
 asked on

Problems with Default Route on ASA 5520

We have a bit of a problem - nothing too major that's causing us downtime but just a headache.  On our network we have a Cisco ASA 5520.  We have the gateway of last resort set to the IP address of our BGP router as we have several ISPs.  The issue is that the IP address of the gateway (BGP Router) is the first usable address of the IP address block that we lease from this ISP.  We have several other addresses from this block NAT'd through the ASA.  Basically it looks like this:

route  199.1XX.170.1 1

The problem is that from behind the ASA we cannot access any of the servers on this IP block by their external IP.  Users outside our network can reach the servers and we can reach them fromtheir internal addresses so there's no real buisiness issue for us yet but I'd like to get this resolved.  Any help would be appreciated.  I will be glad to provide any additional info needed.  Thank You.
Hardware FirewallsCiscoRouters

Avatar of undefined
Last Comment

8/22/2022 - Mon
Justin Ellenbecker

With hairpinning they say it can work using this command in the ASA:

same-security-traffic permit intra-interface

This should do what is needed here is a cisco doc that explains it more.

Justin Ellenbecker

You will also need a NAT command for it like this:

static(inside,inside) xxx xxx

StrifeJester -
Thanks for your help - the same-security-traffic permit intra-interface command seems like the solution.  I just have one question- what is the new static NAT entry for?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Justin Ellenbecker

You have outside nat rules created correct?  You have to create the same rule on the inside to create the hairpin.

Lets look at the nat statement:

static (real_interface,mapped_interface) mapped_ip real_ip netmask mask

So static (inside,inside) External_IP Internal_IP netmask Mask
Or static (inside,inside) netmask
Now that is for the whole IP not specific services.

This tells it a packet that shows up with a destination of the external IP on the internal interface needs to get sent right back out the same interface to the interal IP.  That is why you need the same-secrurity permit intra-interface so that it is allowed to do that.

Thanks for clarifying but yeah that dosen't seen to be working. I did create the inside NAT rules. It's funny when I log into the BGP router (the one at the gateway adddess (199.1XX.170.1) I can ping any address on th IP block as well as any other IP on the inteenet that I choose.  I have no idea why this is happening.

Even stranger - I realized that I can ping the gateway address.  But nothing else on that subnet.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Justin Ellenbecker

From the BGP router you should be able to ping anything on the same public IP subnet because there is no NAT mucking it up as far as its concerned.  If i am understanding you correctly.  The reason you can ping the gateway address from inside is that its taking a hop out of the ASA then coming back so NAT is working properly.  Here is a post I found on cisco's forums that  talks about hairpinning with the ASA:


Maybe there are some steps you can follow in here that will help.
Justin Ellenbecker

Do you have the ASDM installed?  If so you can try to use the packet tracer but i don't recall if it lets you choose the same interface for both sides of a trace.

I do have ASDM installed. Yeah I was aware that on the BGP router I could reach any external address out there.  What I though was so weird is that I could ping the BGP router form the ASA (The BGP router being the first address in this leased IP block) but nothing else in that range.  I'll check out the info you posted.  I think there may be an ACL set somewhere in here that I'm unaware ofor maybe an asymmetriclat routing issue.  I appreciate all the help you've given me on this.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Justin Ellenbecker

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thanks for the help.  I do beleive this is the correct answer.  In your case from what I read on CIscos site NO version of the PIX software supports this.  Ithink it only exists on ASA - but don't qutoe me on that.  I'm in the same situation it's production enviromnent.  Also were running 7.2(3) which from what I've seen has numerouds vulnerabilities and some bugs.  I think a code upgrade may be in order.  Once Again Thank You I really don't see any other solution ti could be.  And it makes sense - every other time I have delt with leased IP blocks from our ISP the address we usd as our gateway was neveer on the same network as the leased IPs so I never encoountered this problem before.