[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 289
  • Last Modified:

ip route doesn't work in ASA !!

Dear I have this network diagram

from pc (10.10.10.2) can ping to 10.10.10.1 (dmz firewall) and pc 192.168.1.2 can ping to 10.10.10.1

But pc 10.10.10.2 cannot ping to ip 192.168.1.1 or 192.168.1.2

I think need add access or nat to permit plz send to me this config


Note :-

from firewall can ping to both ips 10.10.10.2 and 192.168.1.2
 
test.jpg
0
memo12345678
Asked:
memo12345678
  • 4
  • 3
3 Solutions
 
fwed29Commented:
Firewall cannot route the trafic within the same interface.

You must add a route on the host 10.10.10.2 with the gateway 10.10.10.3 for the destination 192.168.1.2 or set the default gateway 10.10.10.3 on the host 10.0.10.2.
0
 
Ernie BeekCommented:
As a matter of fact you can let the firewall route that. But that's not the best way to do it (it's still a firewall, not a router).
As fwed29 said, best thing is to add a route on the host: route add -p 192.168.1.0 mask 255.255.255.0 10.10.10.3

Or, if you're using dhcp, add a route through there.
0
 
fwed29Commented:
I'm not very agree because ASA can't route this trafic at all because both network are under the same inerface of ASA.

You can ping with the icmp redirect but you can't establish connection du to asymmetric routing.

The best solution, for me, is to use the router as gateway and add a route ANY to the ASA :

If it's a Cisco router : ip route 0.0.0.0 0.0.0.0 10.10.10.1

The network 192.168.1.0 will be directly connected and known by the router.

As said erniebeek, just change the gateway on the DHCP server :)

The solution to add a route on the host will work but is not the best ... and you must do the same thing on all your host.
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
Ernie BeekCommented:
@fwed29: ever heard of: same-security-traffic permit intra-interface ?

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
0
 
Ernie BeekCommented:
So it is possible but not optimal :)
0
 
fwed29Commented:
@erniebeek : Yes, of course :) But you need more modification.

Always the same problem : asymmetric routing

The ASA will forward the trafic but the router will reply directly to your host :

Host#1 -> ASA (Gw) -> Router -> Host#2 -> Router -> Host#1

and not

Host#1 -> ASA (Gw) -> Router -> Host#2 -> Router -> ASA(gw) -> Host#1

Because the router and the ASA are on the same subnet ;)
0
 
Ernie BeekCommented:
Ah that part.
I thought you were aiming at the impossibility to route out the same interface on the asa. Got lost in translation there :(
Point taken.
0
 
memo12345678Author Commented:
thx for bothhhhhh
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now