Solved

creating route from ASA to 1720

Posted on 2016-08-08
9
42 Views
Last Modified: 2016-09-12
I need to setup a route in the ASA that send all requests made to 192.168.7.x to the router 192.168.1.203.  That route seems to already be configured.  I have the command noted below, however, it seems when the request comes back from 192.168.1.203 it doesn't work properly.  I can only send/receive pings / ICMP.  What is the command that I need to add to the ASA to receive it from .203?  Below is my ASA and ASDM version and the only command I have pertaining to this route.. I think I'm missing something else...  The 1720 has a wildcard stating 0.0.0.0 goes to 192.168.1.1

route inside 192.168.7.0 255.255.255.0 192.168.1.203 1

ASA 8.4(7)26
ASDM 6.4.(5)
0
Comment
Question by:gopher_49
  • 6
  • 3
9 Comments
 
LVL 9

Expert Comment

by:Cheever000
ID: 41748127
Are you hairpinning internally off the ASA for example

.7 network -----.1 network ------ASA?

If this is the case you need to look at TCP state bypass this is for 8.2 but it is the same

Sadly the ASA is not a router and really doesn't like to route traffic back inside its own network due to the fact it is checking for the syn syn-ack ack if it misses a step it will drop the traffic, in this case if the syn goes through the ASA the syn-ack will go straight to the host from the router and the the final ACK will touch the the ASA again, but the ASA never sees the syn-ack and will drop it.  Also don't forget the same-security-traffic permit intra-interface to reflect off the same interface.
0
 

Author Comment

by:gopher_49
ID: 41748616
Cheever000,

My ASA's IP is 192.168.1.1.  Then.. I have 2 x 1720 that are on each side of a point to point T1 circuit.  Router 1's IP is 192.168.1.203.  Router 2's IP is 192.168.7.1.   I send all traffic destined for 192.168.7.x to router 1 via the command route inside 192.168.7.0 255.255.255.0 192.168.1.203 1 .  It seems to get to the destined network for I can ping any of the hosts within the 192.168.7.x network, however, when the traffic comes back I think it's getting dropped.   I don't know what to do.. I have similar routes setup through my AT&T  MPLS networks and the route command noted above is all I used..
0
 

Author Comment

by:gopher_49
ID: 41748627
Below are the ASA logs I see pertaining to the 192.168.7.x network.

4|Aug 09 2016|05:19:55|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:55|106015|192.168.1.221|8020|192.168.7.56|59164|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59164 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.11|8020|192.168.7.56|59163|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59163 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.221|8020|192.168.7.56|59164|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59164 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:52|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags RST  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59163|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59163 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags RST  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:49|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:47|302021|192.168.1.247|1|192.168.7.1|0|Teardown ICMP connection for faddr 192.168.1.247/1 gaddr 192.168.7.1/0 laddr 192.168.7.1/0
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8020|192.168.7.56|59162|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59162 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59154|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59154 flags RST  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:46|106015|192.168.1.11|8027|192.168.7.56|59153|Deny TCP (no connection) from 192.168.1.11/8027 to 192.168.7.56/59153 flags RST  on interface inside
4|Aug 09 2016|05:19:44|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:43|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811987 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:43|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811987 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59161|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59161 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59152|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59152 flags RST  on interface inside
4|Aug 09 2016|05:19:43|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:42|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811970 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:42|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811970 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:41|302020|192.168.1.247|1|192.168.7.1|0|Built inbound ICMP connection for faddr 192.168.1.247/1 gaddr 192.168.7.1/0 laddr 192.168.7.1/0
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|302015|192.168.1.14|16768|192.168.7.56|59084|Built inbound UDP connection 53811915 for inside:192.168.1.14/16768 (192.168.1.14/16768) to inside:192.168.7.56/59084 (192.168.7.56/59084)
4|Aug 09 2016|05:19:40|106015|192.168.1.221|8020|192.168.7.56|59160|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59160 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:40|106015|192.168.1.11|8020|192.168.7.56|59151|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59151 flags RST  on interface inside
4|Aug 09 2016|05:19:38|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811856 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:37|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811856 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59159|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59159 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.11|8020|192.168.7.56|59150|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59150 flags RST  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.221|8020|192.168.7.56|59158|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59158 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:37|106015|192.168.1.221|8020|192.168.7.56|59149|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59149 flags RST  on interface inside
4|Aug 09 2016|05:19:36|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811840 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:36|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811840 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:35|106015|192.168.1.221|8020|192.168.7.56|59157|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59157 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:35|106015|192.168.1.11|8020|192.168.7.56|59148|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59148 flags RST  on interface inside
4|Aug 09 2016|05:19:34|302014|192.168.1.232|57973|192.168.7.213|9100|Teardown TCP connection 53811805 for inside:192.168.1.232/57973 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:34|302013|192.168.1.232|57973|192.168.7.213|9100|Built inbound TCP connection 53811805 for inside:192.168.1.232/57973 (192.168.1.232/57973) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:34|106015|192.168.1.221|8020|192.168.7.56|59154|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59154 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:34|106015|192.168.1.11|8027|192.168.7.56|59153|Deny TCP (no connection) from 192.168.1.11/8027 to 192.168.7.56/59153 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:34|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:33|302014|192.168.1.234|59118|192.168.7.213|9100|Teardown TCP connection 53811797 for inside:192.168.1.234/59118 to inside:192.168.7.213/9100 duration 0:00:00 bytes 0 TCP Reset-O
4|Aug 09 2016|05:19:33|302013|192.168.1.234|59118|192.168.7.213|9100|Built inbound TCP connection 53811797 for inside:192.168.1.234/59118 (192.168.1.234/59118) to inside:192.168.7.213/9100 (192.168.7.213/9100)
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59155|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59155 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.221|8020|192.168.7.56|59152|Deny TCP (no connection) from 192.168.1.221/8020 to 192.168.7.56/59152 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59156|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59156 flags SYN ACK  on interface inside
4|Aug 09 2016|05:19:31|106015|192.168.1.11|8020|192.168.7.56|59147|Deny TCP (no connection) from 192.168.1.11/8020 to 192.168.7.56/59147 flags RST  on interface inside
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41748651
Did you make any changes?  It appears to be doing exactly what I said, it isn't seeing the full handshake and is dropping it for no connection.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

Not sure why the link didn't show before.  Your other 2 options are make the router the gateway it can do redirects, and or set static persistent routes on the hosts.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:gopher_49
ID: 41748705
Initially I had the workstations that need to access the 192.168.7.x network use the gateway of .203, however, they can't access the 192.168.8.x network that is a virtual interface on the ASA.  This is why I'm trying to get it to route through the ASA.  The 192.168.8.x is a tagged virtual interface in a vlan.  For .203 to route to 192.168.8.x would it need a tagged virtual interface and a dedicated route assigned to the virtual interface?
0
 

Author Comment

by:gopher_49
ID: 41751993
Cheever000,

So...  I guess I need to get different routers on each side of the point to point circuit?  I don't think these can do routed VLANs...  Not sure what else to do..
0
 
LVL 9

Accepted Solution

by:
Cheever000 earned 500 total points
ID: 41756658
They should have been able to reach the network if it was a new network/interface off the ASA being redirected from the router.  What can't do routed VLANS the ASA isn't really a router but it does basic forwarding.  The 1721 is a router.

Thanks
0
 

Author Comment

by:gopher_49
ID: 41756691
So..  What are my options?  Don't I need a route with VLAN support since the 192.168.8.x network is a tagged VLAN?  That's the only way my ASA can handle the traffic, right?  Or will that still require the ASA to be a router?
0
 

Author Closing Comment

by:gopher_49
ID: 41794383
This makes sense for I have a AT&T MPLS config off a dedicated physical interface and it works just fine..  The VLANs are the issue.. I'll implement ASAP.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now