Routing

I have 2 IP segments: (A) 192.168.0.0/24 and (B) 192.168.9.0/24.  
They are  routed by a router. Both access the Internet thru an ASA 5510. ( See Attachment)

Workstation B can browse the Internet and access workstation A.
Workstation A can browse the Internet but cannot access workstation B

Even on the ASA (gateway of  worksation A) I have a route statement:
route inside 192.168.9.0 255.255.255.0 192.168.0. 254 (Router F0/0)
I don't know why it doesn't carry out that routing statement.

Thank You.
Routing.jpg
SavvisAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
muffConnect With a Mentor Commented:
You are welcome to distribute points to those that assisted in this solution.
0
 
lrmooreCommented:
Make 192.168.0.254 your default gateway for workstation A and it will talk to workstation B
The reason the ASA won't do it is because it is designed not to redirect any packets back out the same interface it came in on. There are some tricks to make it do it, but the simple, easy answer is to simply use the router for what it was designed for - to route packets - and let the firewall be the firewall..
0
 
muffCommented:

The command to let the ASA direct packets back out of the incoming interface is:

  same-security-traffic permit intra-interface

But fixing the default gateway is the correct approach.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
SavvisAuthor Commented:
Hi lrmoore,

Thank you for brief reply.
If I add a route statement on workstation A:
"route add 192.168.9.0 mask 255.255.255.0 192.168.0.254"
Everything works fine.  
But the reason I choose my default gateway (192.168.0.1) is that the Internet is more important than
accessing segment B.  I'm afraid if I choose the router as gateway it will slow down my Internet browsing ( I just guess).

Is there any trick so the ASA knows how to redirect packages ?

Thanks again

0
 
Don JohnstonInstructorCommented:
You could upgrade your ASA to 8.2(1) code. Then it will support ICMP redirects and send a redirect back to workstation A.
0
 
SavvisAuthor Commented:
Hi donjohnston,

My ASA has been upgraded to ver 8.2(1), but it still doen't not redirect.
There is the new version 8.3(1), but it requires a lot of memory ( at least 1GB).

Thanks
0
 
Don JohnstonInstructorCommented:
According to this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

"ASA/PIX supports ICMP redirects from  version 8.2(1) and later."

I'll see if I get some additional information.


0
 
SavvisAuthor Commented:
Hi donjohnston,

I think you are right.  
It's my mistake: I just upgraded the ASA recently and had made the test before that.

I will try again sometime next week and will let you know the result.

Thank you very much.
0
 
SavvisAuthor Commented:
Hi donjohnston,

I try it,  but the ASA still doesn't redirect ICMP.
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)

The weird thing is the ASA see workstation B:
ASA# ping 192.168.9.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.245, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
0
 
lrmooreCommented:
> I'm afraid if I choose the router as gateway it will slow down my Internet browsing
It will not slow anything down
0
 
SavvisAuthor Commented:
Hi All,

Finally I have it work with these commands (called Hairpinning):

asa(config)#same-security-traffic permit intra-interface
asa(config)#static (inside,inside) 192.168.0.0 192.168.9.0 netmask 255.255.255.0 norandomseq
nailed
asa(config)#static (inside,inside) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 norandomseq nailed
asa(config)#no sysopt noproxyarp inside
asa(config)#failover timeout -1

Thanks
0
 
lrmooreCommented:
It is still a workaround for not wanting to do it the easy way. You're making the firewall do something it was not designed to do, putting extra strain on the CPU of the ASA.
0
 
SavvisAuthor Commented:
Hi lrmoore:

The main reason is that we have Vendors coming to DMZ on the ASA, if we change the gateway
it will affect our applications so our management doesn't want to change anhything.

We 've just added a point-to-point T1 to the remote office only for backup.

0
 
SavvisAuthor Commented:
No
0
All Courses

From novice to tech pro — start learning today.