Routing

I have 2 IP segments: (A) 192.168.0.0/24 and (B) 192.168.9.0/24.  
They are  routed by a router. Both access the Internet thru an ASA 5510. ( See Attachment)

Workstation B can browse the Internet and access workstation A.
Workstation A can browse the Internet but cannot access workstation B

Even on the ASA (gateway of  worksation A) I have a route statement:
route inside 192.168.9.0 255.255.255.0 192.168.0. 254 (Router F0/0)
I don't know why it doesn't carry out that routing statement.

Thank You.
Routing.jpg
SavvisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Make 192.168.0.254 your default gateway for workstation A and it will talk to workstation B
The reason the ASA won't do it is because it is designed not to redirect any packets back out the same interface it came in on. There are some tricks to make it do it, but the simple, easy answer is to simply use the router for what it was designed for - to route packets - and let the firewall be the firewall..
0
muffCommented:

The command to let the ASA direct packets back out of the incoming interface is:

  same-security-traffic permit intra-interface

But fixing the default gateway is the correct approach.
0
SavvisAuthor Commented:
Hi lrmoore,

Thank you for brief reply.
If I add a route statement on workstation A:
"route add 192.168.9.0 mask 255.255.255.0 192.168.0.254"
Everything works fine.  
But the reason I choose my default gateway (192.168.0.1) is that the Internet is more important than
accessing segment B.  I'm afraid if I choose the router as gateway it will slow down my Internet browsing ( I just guess).

Is there any trick so the ASA knows how to redirect packages ?

Thanks again

0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Don JohnstonInstructorCommented:
You could upgrade your ASA to 8.2(1) code. Then it will support ICMP redirects and send a redirect back to workstation A.
0
SavvisAuthor Commented:
Hi donjohnston,

My ASA has been upgraded to ver 8.2(1), but it still doen't not redirect.
There is the new version 8.3(1), but it requires a lot of memory ( at least 1GB).

Thanks
0
Don JohnstonInstructorCommented:
According to this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

"ASA/PIX supports ICMP redirects from  version 8.2(1) and later."

I'll see if I get some additional information.


0
SavvisAuthor Commented:
Hi donjohnston,

I think you are right.  
It's my mistake: I just upgraded the ASA recently and had made the test before that.

I will try again sometime next week and will let you know the result.

Thank you very much.
0
SavvisAuthor Commented:
Hi donjohnston,

I try it,  but the ASA still doesn't redirect ICMP.
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)

The weird thing is the ASA see workstation B:
ASA# ping 192.168.9.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.245, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
0
lrmooreCommented:
> I'm afraid if I choose the router as gateway it will slow down my Internet browsing
It will not slow anything down
0
SavvisAuthor Commented:
Hi All,

Finally I have it work with these commands (called Hairpinning):

asa(config)#same-security-traffic permit intra-interface
asa(config)#static (inside,inside) 192.168.0.0 192.168.9.0 netmask 255.255.255.0 norandomseq
nailed
asa(config)#static (inside,inside) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 norandomseq nailed
asa(config)#no sysopt noproxyarp inside
asa(config)#failover timeout -1

Thanks
0
lrmooreCommented:
It is still a workaround for not wanting to do it the easy way. You're making the firewall do something it was not designed to do, putting extra strain on the CPU of the ASA.
0
SavvisAuthor Commented:
Hi lrmoore:

The main reason is that we have Vendors coming to DMZ on the ASA, if we change the gateway
it will affect our applications so our management doesn't want to change anhything.

We 've just added a point-to-point T1 to the remote office only for backup.

0
muffCommented:
You are welcome to distribute points to those that assisted in this solution.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SavvisAuthor Commented:
No
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.