ip route doesn't work in ASA !!

Dear I have this network diagram

from pc ( can ping to (dmz firewall) and pc can ping to

But pc cannot ping to ip or

I think need add access or nat to permit plz send to me this config

Note :-

from firewall can ping to both ips and
Who is Participating?
fwed29Connect With a Mentor Commented:
@erniebeek : Yes, of course :) But you need more modification.

Always the same problem : asymmetric routing

The ASA will forward the trafic but the router will reply directly to your host :

Host#1 -> ASA (Gw) -> Router -> Host#2 -> Router -> Host#1

and not

Host#1 -> ASA (Gw) -> Router -> Host#2 -> Router -> ASA(gw) -> Host#1

Because the router and the ASA are on the same subnet ;)
Firewall cannot route the trafic within the same interface.

You must add a route on the host with the gateway for the destination or set the default gateway on the host
Ernie BeekExpertCommented:
As a matter of fact you can let the firewall route that. But that's not the best way to do it (it's still a firewall, not a router).
As fwed29 said, best thing is to add a route on the host: route add -p mask

Or, if you're using dhcp, add a route through there.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

I'm not very agree because ASA can't route this trafic at all because both network are under the same inerface of ASA.

You can ping with the icmp redirect but you can't establish connection du to asymmetric routing.

The best solution, for me, is to use the router as gateway and add a route ANY to the ASA :

If it's a Cisco router : ip route

The network will be directly connected and known by the router.

As said erniebeek, just change the gateway on the DHCP server :)

The solution to add a route on the host will work but is not the best ... and you must do the same thing on all your host.
Ernie BeekConnect With a Mentor ExpertCommented:
@fwed29: ever heard of: same-security-traffic permit intra-interface ?

Ernie BeekExpertCommented:
So it is possible but not optimal :)
Ernie BeekConnect With a Mentor ExpertCommented:
Ah that part.
I thought you were aiming at the impossibility to route out the same interface on the asa. Got lost in translation there :(
Point taken.
memo12345678Author Commented:
thx for bothhhhhh
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.