Help with routing between networks

Posted on 2013-01-11
Medium Priority
Last Modified: 2013-01-13
In my foray into the Cisco realm, I recently configured an ASA with access to the internet via static public IP (see blue shaded area of attached topology).  The green shaded area of the topology represents a different subnet connected to the ASA.  I configured the ASA to perform NAT for both of the following networks:
I verified that both of the above could reach the internet.

What I am having difficulty with is configuring both the router and the ASA to allow communication with each other from the network to the network.  I've been reading through CCNA materials and have tried to follow lab examples, but can't seem to get it working.  I enabled EIGRP on both and verified that routes are being advertised.  I know I missing something.  

My goal is understand the commands required under the different platforms (ASA 9.0 and IOS 15) and learn the most efficient way of establishing communication between the two subnets.  Also, I need to fill my knowledge gaps.  

Please see the attached topology, ASA configuration, and router configuration.  Thank you all in advance for taking a look!
Question by:J3ckyl
  • 3
  • 2
LVL 20

Expert Comment

ID: 38770016
Same-security-traffic permit intra-interface

By default an Asa will not allow hairpin routing so you'll need to enable it.

Author Comment

ID: 38770680
Thanks rauenpc.  I entered that command into the ASA cli, but nothing changed.  From hosts on the network, I can ping the interface, but not hosts on the network. I still cannot ping hosts on the network from the network.  I appreciate the input. Any other areas I should look at?  I am completely new to ASA and I wondering if I have to configure ACL's to specifically allow the two networks to communicate.
LVL 20

Accepted Solution

rauenpc earned 1500 total points
ID: 38771058
It would appear that you have split routing. If the devices on the 10 network have the Asa set as a default gateway, that means that traffic uses the Asa one direction for routing, but the opposite direction the Asa is only used for switching based on your diagram. The Asa would, by default, classify all the traffic as half open and drop packets.
Personally, I would layout the network Internet -- Asa -- router -- switch. The switch can have two vlans, the router can do routing, and the Asa does the firewalling. This way the Asa doesn't need to worry about routing beyond inside/outside.

Author Comment

ID: 38771402
Thanks, I'll mark that as a solution.  While that definitely is a solid solution and makes for a cleaner network, for the sake of learning, what would I need to correct the current situation?
LVL 20

Expert Comment

ID: 38772818
You would need to either
set all the 10.x devices to use the router as a default gateway
add static routes on all devices in the 10.x network to use the router when going to the 172.x network
configure state bypass on the asa for that particular traffic. State bypass essentially ignores the state of traffic and just lets it route with no care as to half open connections, or any other possible attack.

A neat thing that you can do if you're using a windows DHCP server, is set option 249. Option 249 is the Classless IP static route option, and it pushes down a set of static routes to any machine that requests it. Windows machines do request that option by default. The option allows you to specify a subnet and a gateway to use for this. In your case, you would only need this in the 10.x subnet. Although this works, I wouldn't really suggest this in a production network except as a bandaid while working through a better solution such as redesigning the layout to mitigate the need for such static routes. I don't know if any non-windows devices accept option 249, so any linux/unix machines or printers would still have an issue.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question