Solved

creating route from ASA to 1720

Posted on 2016-08-08
9
60 Views
Last Modified: 2016-09-12
I need to setup a route in the ASA that send all requests made to 192.168.7.x to the router 192.168.1.203.  That route seems to already be configured.  I have the command noted below, however, it seems when the request comes back from 192.168.1.203 it doesn't work properly.  I can only send/receive pings / ICMP.  What is the command that I need to add to the ASA to receive it from .203?  Below is my ASA and ASDM version and the only command I have pertaining to this route.. I think I'm missing something else...  The 1720 has a wildcard stating 0.0.0.0 goes to 192.168.1.1

route inside 192.168.7.0 255.255.255.0 192.168.1.203 1

ASA 8.4(7)26
ASDM 6.4.(5)
0
Comment
Question by:gopher_49
  • 6
  • 3
9 Comments
 
LVL 9

Expert Comment

by:Cheever000
ID: 41748127
Are you hairpinning internally off the ASA for example

.7 network -----.1 network ------ASA?

If this is the case you need to look at TCP state bypass this is for 8.2 but it is the same

Sadly the ASA is not a router and really doesn't like to route traffic back inside its own network due to the fact it is checking for the syn syn-ack ack if it misses a step it will drop the traffic, in this case if the syn goes through the ASA the syn-ack will go straight to the host from the router and the the final ACK will touch the the ASA again, but the ASA never sees the syn-ack and will drop it.  Also don't forget the same-security-traffic permit intra-interface to reflect off the same interface.
0
 

Author Comment

by:gopher_49
ID: 41748616
Cheever000,

My ASA's IP is 192.168.1.1.  Then.. I have 2 x 1720 that are on each side of a point to point T1 circuit.  Router 1's IP is 192.168.1.203.  Router 2's IP is 192.168.7.1.   I send all traffic destined for 192.168.7.x to router 1 via the command route inside 192.168.7.0 255.255.255.0 192.168.1.203 1 .  It seems to get to the destined network for I can ping any of the hosts within the 192.168.7.x network, however, when the traffic comes back I think it's getting dropped.   I don't know what to do.. I have similar routes setup through my AT&T  MPLS networks and the route command noted above is all I used..
0
 

Author Comment

by:gopher_49
ID: 41748627
Below are the ASA logs I see pertaining to the 192.168.7.x network.

4|Aug 09 2016|05:19:55|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:55|106015|192.168.1.221|8020|192.168.7.56|59164|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59164 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.11|8020|192.168.7.56|59163|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59163 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.221|8020|192.168.7.56|59164|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59164 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags RST  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59163|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59163 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags RST  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:47|302021|192.168.1.247|1|192.168.7.1|0|Teardown ICMP connection for faddr 192.168.1.247/1 gaddr 192.168.7.1/0 laddr 192.168.7.1/0
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59154|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59154 flags RST  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8027|192.168.7.56|59153|Deny TCP (no connection) from 192.168.1.11/8027 to 192.168.7.56/59153 flags RST  on interface inside
4|Aug 09 2016|05:19:44|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:43|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811987 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:43|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811987 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59152|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59152 flags RST  on interface inside
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:42|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811970 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:42|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811970 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:41|302020|192.168.1.247|1|192.168.7.1|0|Built inbound ICMP connection for faddr 192.168.1.247/1 gaddr 192.168.7.1/0 laddr 192.168.7.1/0
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|302015|192.168.1.14|16768|192.168.7.56|59084|Built inbound UDP connection 53811915 for inside:192.168.1.14/16768 (192.168.1.14/16768) to inside:192.168.7.56/59084 (192.168.7.56/59084)
4|Aug 09 2016|05:19:40|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59151|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59151 flags RST  on interface inside
4|Aug 09 2016|05:19:38|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811856 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:37|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811856 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59150|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59150 flags RST  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.221|8020|192.168.7.56|59149|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59149 flags RST  on interface inside
4|Aug 09 2016|05:19:36|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811840 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:36|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811840 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:35|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:35|106015|192.168.1.11|8020|192.168.7.56|59148|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59148 flags RST  on interface inside
4|Aug 09 2016|05:19:34|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811805 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:34|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811805 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:34|106015|192.168.1.221|8020|192.168.7.56|59154|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59154 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:34|106015|192.168.1.11|8027|192.168.7.56|59153|Deny TCP (no connection) from 192.168.1.11/8027 to 192.168.7.56/59153 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:34|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:33|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811797 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:33|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811797 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.221|8020|192.168.7.56|59152|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59152 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59147|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59147 flags RST  on interface inside
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 9

Expert Comment

by:Cheever000
ID: 41748651
Did you make any changes?  It appears to be doing exactly what I said, it isn't seeing the full handshake and is dropping it for no connection.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

Not sure why the link didn't show before.  Your other 2 options are make the router the gateway it can do redirects, and or set static persistent routes on the hosts.
0
 

Author Comment

by:gopher_49
ID: 41748705
Initially I had the workstations that need to access the 192.168.7.x network use the gateway of .203, however, they can't access the 192.168.8.x network that is a virtual interface on the ASA.  This is why I'm trying to get it to route through the ASA.  The 192.168.8.x is a tagged virtual interface in a vlan.  For .203 to route to 192.168.8.x would it need a tagged virtual interface and a dedicated route assigned to the virtual interface?
0
 

Author Comment

by:gopher_49
ID: 41751993
Cheever000,

So...  I guess I need to get different routers on each side of the point to point circuit?  I don't think these can do routed VLANs...  Not sure what else to do..
0
 
LVL 9

Accepted Solution

by:
Cheever000 earned 500 total points
ID: 41756658
They should have been able to reach the network if it was a new network/interface off the ASA being redirected from the router.  What can't do routed VLANS the ASA isn't really a router but it does basic forwarding.  The 1721 is a router.

Thanks
0
 

Author Comment

by:gopher_49
ID: 41756691
So..  What are my options?  Don't I need a route with VLAN support since the 192.168.8.x network is a tagged VLAN?  That's the only way my ASA can handle the traffic, right?  Or will that still require the ASA to be a router?
0
 

Author Closing Comment

by:gopher_49
ID: 41794383
This makes sense for I have a AT&T MPLS config off a dedicated physical interface and it works just fine..  The VLANs are the issue.. I'll implement ASAP.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
I want to know the number of Cisco 1921-sec / k9 ipsec vpn concurrent users? 4 39
adjusting startup config 6 55
migrate cisco cat configs 3 35
Error after upgrade of 3850s 15 54
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question