• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 85
  • Last Modified:

creating route from ASA to 1720

I need to setup a route in the ASA that send all requests made to 192.168.7.x to the router 192.168.1.203.  That route seems to already be configured.  I have the command noted below, however, it seems when the request comes back from 192.168.1.203 it doesn't work properly.  I can only send/receive pings / ICMP.  What is the command that I need to add to the ASA to receive it from .203?  Below is my ASA and ASDM version and the only command I have pertaining to this route.. I think I'm missing something else...  The 1720 has a wildcard stating 0.0.0.0 goes to 192.168.1.1

route inside 192.168.7.0 255.255.255.0 192.168.1.203 1

ASA 8.4(7)26
ASDM 6.4.(5)
0
gopher_49
Asked:
gopher_49
  • 6
  • 3
1 Solution
 
Cheever000Commented:
Are you hairpinning internally off the ASA for example

.7 network -----.1 network ------ASA?

If this is the case you need to look at TCP state bypass this is for 8.2 but it is the same

Sadly the ASA is not a router and really doesn't like to route traffic back inside its own network due to the fact it is checking for the syn syn-ack ack if it misses a step it will drop the traffic, in this case if the syn goes through the ASA the syn-ack will go straight to the host from the router and the the final ACK will touch the the ASA again, but the ASA never sees the syn-ack and will drop it.  Also don't forget the same-security-traffic permit intra-interface to reflect off the same interface.
0
 
gopher_49Author Commented:
Cheever000,

My ASA's IP is 192.168.1.1.  Then.. I have 2 x 1720 that are on each side of a point to point T1 circuit.  Router 1's IP is 192.168.1.203.  Router 2's IP is 192.168.7.1.   I send all traffic destined for 192.168.7.x to router 1 via the command route inside 192.168.7.0 255.255.255.0 192.168.1.203 1 .  It seems to get to the destined network for I can ping any of the hosts within the 192.168.7.x network, however, when the traffic comes back I think it's getting dropped.   I don't know what to do.. I have similar routes setup through my AT&T  MPLS networks and the route command noted above is all I used..
0
 
gopher_49Author Commented:
Below are the ASA logs I see pertaining to the 192.168.7.x network.

4|Aug 09 2016|05:19:55|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:55|106015|192.168.1.221|8020|192.168.7.56|59164|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59164 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.11|8020|192.168.7.56|59163|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59163 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.221|8020|192.168.7.56|59164|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59164 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags RST  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59163|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59163 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags RST  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:47|302021|192.168.1.247|1|192.168.7.1|0|Teardown ICMP connection for faddr 192.168.1.247/1 gaddr 192.168.7.1/0 laddr 192.168.7.1/0
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59154|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59154 flags RST  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8027|192.168.7.56|59153|Deny TCP (no connection) from 192.168.1.11/8027 to 192.168.7.56/59153 flags RST  on interface inside
4|Aug 09 2016|05:19:44|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:43|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811987 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:43|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811987 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59152|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59152 flags RST  on interface inside
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:42|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811970 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:42|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811970 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:41|302020|192.168.1.247|1|192.168.7.1|0|Built inbound ICMP connection for faddr 192.168.1.247/1 gaddr 192.168.7.1/0 laddr 192.168.7.1/0
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|302015|192.168.1.14|16768|192.168.7.56|59084|Built inbound UDP connection 53811915 for inside:192.168.1.14/16768 (192.168.1.14/16768) to inside:192.168.7.56/59084 (192.168.7.56/59084)
4|Aug 09 2016|05:19:40|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59151|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59151 flags RST  on interface inside
4|Aug 09 2016|05:19:38|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811856 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:37|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811856 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59150|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59150 flags RST  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.221|8020|192.168.7.56|59149|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59149 flags RST  on interface inside
4|Aug 09 2016|05:19:36|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811840 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:36|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811840 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:35|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:35|106015|192.168.1.11|8020|192.168.7.56|59148|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59148 flags RST  on interface inside
4|Aug 09 2016|05:19:34|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811805 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:34|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811805 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:34|106015|192.168.1.221|8020|192.168.7.56|59154|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59154 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:34|106015|192.168.1.11|8027|192.168.7.56|59153|Deny TCP (no connection) from 192.168.1.11/8027 to 192.168.7.56/59153 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:34|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:33|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811797 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:33|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811797 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.221|8020|192.168.7.56|59152|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59152 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59147|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59147 flags RST  on interface inside
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Cheever000Commented:
Did you make any changes?  It appears to be doing exactly what I said, it isn't seeing the full handshake and is dropping it for no connection.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

Not sure why the link didn't show before.  Your other 2 options are make the router the gateway it can do redirects, and or set static persistent routes on the hosts.
0
 
gopher_49Author Commented:
Initially I had the workstations that need to access the 192.168.7.x network use the gateway of .203, however, they can't access the 192.168.8.x network that is a virtual interface on the ASA.  This is why I'm trying to get it to route through the ASA.  The 192.168.8.x is a tagged virtual interface in a vlan.  For .203 to route to 192.168.8.x would it need a tagged virtual interface and a dedicated route assigned to the virtual interface?
0
 
gopher_49Author Commented:
Cheever000,

So...  I guess I need to get different routers on each side of the point to point circuit?  I don't think these can do routed VLANs...  Not sure what else to do..
0
 
Cheever000Commented:
They should have been able to reach the network if it was a new network/interface off the ASA being redirected from the router.  What can't do routed VLANS the ASA isn't really a router but it does basic forwarding.  The 1721 is a router.

Thanks
0
 
gopher_49Author Commented:
So..  What are my options?  Don't I need a route with VLAN support since the 192.168.8.x network is a tagged VLAN?  That's the only way my ASA can handle the traffic, right?  Or will that still require the ASA to be a router?
0
 
gopher_49Author Commented:
This makes sense for I have a AT&T MPLS config off a dedicated physical interface and it works just fine..  The VLANs are the issue.. I'll implement ASAP.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now