• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 680
  • Last Modified:

Routing between 2 ASA's on internal subnet

I have 2 ASA 5505 firewalls that are each connected to the internet.  ASA#1 is a VPN tunnel to other outside networks and it's internal IP address is 172.17.0.1.  ASA#2 is just for outgoing internet traffic only, and it's internal IP address is 172.17.0.2.  They are both connected to the same internal switch where all the client PC's are located.  

When I setup routes in ASA#2 to point to the ASA#1 to route a few networks through the VPN, it does not work. I know this will work since at one site, we have a SonicWall that has routes point to another ASA VPN firewall.  Is there anything special you need to do to route traffic from one ASA to another on the same subnet?  I don't want to have to add 'route add...' statements to the Windows routing table for all clients.  Thanks.
0
B1izzard
Asked:
B1izzard
  • 5
  • 3
  • 2
  • +1
3 Solutions
 
SuperTacoCommented:
sonicWALL will create routes for you.  In an ASA you have to define the routes.  Can you post your config?
0
 
lrmooreCommented:
You also have to allow same-security intra-interface traffic on asa
And, disable proxyarp on the inside interfaces of both ASA
0
 
dcj21Commented:
IRMoore is correct, by default the ASA will not allow routing between subnets on the inside interface.
 But your traffic is going across the ASA and out the VPN, so you need:
same-security inter-interface traffic

inter-interface - Permits communication between different interfaces that have the same security level.
intra-interface - Permits communication in and out of the same interface.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
B1izzardAuthor Commented:
So I will add same-security intra-interface on both ASA's, but what does disabling proxyarp do?  Is it required?
0
 
dcj21Commented:
Proxy arp allows the router (or ASA) to pretend to be another IP device.

Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

Read this discussion - http://www.gossamer-threads.com/lists/cisco/nsp/83660

In short, it hides problems.
0
 
B1izzardAuthor Commented:
Thanks everyone.  I'll give it a go on Monday.
0
 
dcj21Commented:
Good luck - let us know if it works

If not, grab the logs on the ASAs
0
 
B1izzardAuthor Commented:
I get a Portmap translation creation failed for ICMP.  I then added the following:
nat (inside) 0 172.16.20.0 255.255.255.0
access-list nat0_inside in int inside

..but still get portmap failure.  I can ping the destination IP address from ASA#2, so the route is there and working, just not from the client.  Any ideas?
0
 
B1izzardAuthor Commented:
I did get a ping to work from ASA#2 to the other end of the VPN Tunnel (through ASA#1).  The problem is now with TCP traffic.  I seem to be getting some RST's in wireshark.  It seems like it may be an asymmetric issue.  I do have the traffic going to the client, and it shows it's being sent back, but for some reason the connection may be breaking back at ASA#1 on re-entry.

I tried adding statics as in here as well:  http://blogg.kvistofta.nu/cisco-asa-hairpinning/

Is this just a bad idea altogether?
0
 
lrmooreCommented:
Did you try the "no nat-control" command on both?
Did you allow the same-security traffic commands on both?
Generally, yes, bad idea to try to make these devices do stuff they were never designed to do with workarounds.
0
 
B1izzardAuthor Commented:
I changed things so I didn't have to do it this way thereby resolving the problem.  I did not get it working since I abandoned this method, but I'm sure your suggestions would work.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now