Solved

creating route from ASA to 1720

Posted on 2016-08-08
9
58 Views
Last Modified: 2016-09-12
I need to setup a route in the ASA that send all requests made to 192.168.7.x to the router 192.168.1.203.  That route seems to already be configured.  I have the command noted below, however, it seems when the request comes back from 192.168.1.203 it doesn't work properly.  I can only send/receive pings / ICMP.  What is the command that I need to add to the ASA to receive it from .203?  Below is my ASA and ASDM version and the only command I have pertaining to this route.. I think I'm missing something else...  The 1720 has a wildcard stating 0.0.0.0 goes to 192.168.1.1

route inside 192.168.7.0 255.255.255.0 192.168.1.203 1

ASA 8.4(7)26
ASDM 6.4.(5)
0
Comment
Question by:gopher_49
  • 6
  • 3
9 Comments
 
LVL 9

Expert Comment

by:Cheever000
ID: 41748127
Are you hairpinning internally off the ASA for example

.7 network -----.1 network ------ASA?

If this is the case you need to look at TCP state bypass this is for 8.2 but it is the same

Sadly the ASA is not a router and really doesn't like to route traffic back inside its own network due to the fact it is checking for the syn syn-ack ack if it misses a step it will drop the traffic, in this case if the syn goes through the ASA the syn-ack will go straight to the host from the router and the the final ACK will touch the the ASA again, but the ASA never sees the syn-ack and will drop it.  Also don't forget the same-security-traffic permit intra-interface to reflect off the same interface.
0
 

Author Comment

by:gopher_49
ID: 41748616
Cheever000,

My ASA's IP is 192.168.1.1.  Then.. I have 2 x 1720 that are on each side of a point to point T1 circuit.  Router 1's IP is 192.168.1.203.  Router 2's IP is 192.168.7.1.   I send all traffic destined for 192.168.7.x to router 1 via the command route inside 192.168.7.0 255.255.255.0 192.168.1.203 1 .  It seems to get to the destined network for I can ping any of the hosts within the 192.168.7.x network, however, when the traffic comes back I think it's getting dropped.   I don't know what to do.. I have similar routes setup through my AT&T  MPLS networks and the route command noted above is all I used..
0
 

Author Comment

by:gopher_49
ID: 41748627
Below are the ASA logs I see pertaining to the 192.168.7.x network.

4|Aug 09 2016|05:19:55|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:55|106015|192.168.1.221|8020|192.168.7.56|59164|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59164 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.11|8020|192.168.7.56|59163|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59163 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.221|8020|192.168.7.56|59164|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59164 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags RST  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59163|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59163 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags RST  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:47|302021|192.168.1.247|1|192.168.7.1|0|Teardown ICMP connection for faddr 192.168.1.247/1 gaddr 192.168.7.1/0 laddr 192.168.7.1/0
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59154|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59154 flags RST  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8027|192.168.7.56|59153|Deny TCP (no connection) from 192.168.1.11/8027 to 192.168.7.56/59153 flags RST  on interface inside
4|Aug 09 2016|05:19:44|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:43|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811987 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:43|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811987 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59152|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59152 flags RST  on interface inside
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:42|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811970 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:42|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811970 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:41|302020|192.168.1.247|1|192.168.7.1|0|Built inbound ICMP connection for faddr 192.168.1.247/1 gaddr 192.168.7.1/0 laddr 192.168.7.1/0
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|302015|192.168.1.14|16768|192.168.7.56|59084|Built inbound UDP connection 53811915 for inside:192.168.1.14/16768 (192.168.1.14/16768) to inside:192.168.7.56/59084 (192.168.7.56/59084)
4|Aug 09 2016|05:19:40|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59151|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59151 flags RST  on interface inside
4|Aug 09 2016|05:19:38|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811856 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:37|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811856 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59150|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59150 flags RST  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.221|8020|192.168.7.56|59149|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59149 flags RST  on interface inside
4|Aug 09 2016|05:19:36|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811840 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:36|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811840 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:35|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:35|106015|192.168.1.11|8020|192.168.7.56|59148|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59148 flags RST  on interface inside
4|Aug 09 2016|05:19:34|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811805 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:34|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811805 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:34|106015|192.168.1.221|8020|192.168.7.56|59154|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59154 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:34|106015|192.168.1.11|8027|192.168.7.56|59153|Deny TCP (no connection) from 192.168.1.11/8027 to 192.168.7.56/59153 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:34|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:33|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811797 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:33|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811797 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.221|8020|192.168.7.56|59152|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59152 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59147|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59147 flags RST  on interface inside
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 9

Expert Comment

by:Cheever000
ID: 41748651
Did you make any changes?  It appears to be doing exactly what I said, it isn't seeing the full handshake and is dropping it for no connection.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

Not sure why the link didn't show before.  Your other 2 options are make the router the gateway it can do redirects, and or set static persistent routes on the hosts.
0
 

Author Comment

by:gopher_49
ID: 41748705
Initially I had the workstations that need to access the 192.168.7.x network use the gateway of .203, however, they can't access the 192.168.8.x network that is a virtual interface on the ASA.  This is why I'm trying to get it to route through the ASA.  The 192.168.8.x is a tagged virtual interface in a vlan.  For .203 to route to 192.168.8.x would it need a tagged virtual interface and a dedicated route assigned to the virtual interface?
0
 

Author Comment

by:gopher_49
ID: 41751993
Cheever000,

So...  I guess I need to get different routers on each side of the point to point circuit?  I don't think these can do routed VLANs...  Not sure what else to do..
0
 
LVL 9

Accepted Solution

by:
Cheever000 earned 500 total points
ID: 41756658
They should have been able to reach the network if it was a new network/interface off the ASA being redirected from the router.  What can't do routed VLANS the ASA isn't really a router but it does basic forwarding.  The 1721 is a router.

Thanks
0
 

Author Comment

by:gopher_49
ID: 41756691
So..  What are my options?  Don't I need a route with VLAN support since the 192.168.8.x network is a tagged VLAN?  That's the only way my ASA can handle the traffic, right?  Or will that still require the ASA to be a router?
0
 

Author Closing Comment

by:gopher_49
ID: 41794383
This makes sense for I have a AT&T MPLS config off a dedicated physical interface and it works just fine..  The VLANs are the issue.. I'll implement ASAP.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
capture pcap with filtered traffic 1 81
Cisco VPN client v5 migration to Anyconnect VPN? 8 52
Cisco 3560 switches not seeing VTP V3 12 66
Cisco ASA 5512-X Active/Standby HA 4 25
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question