[c-nsp] redirect nexthop on ASA 5510

[Moerman, Maarten]

Hi All,

I'm having trouble configuring a ASA5510 to behave as a router that sets
a "redirect next hop".

I've configured the ASA perfectly, VPN is working, NAT  is working,
routing SEEMS to be working but does not work for stateful connections.

I have:

Internet -> Cisco 2600 public IP/something --> ASA55110 --> private lan
with servers --> within there another gateway with a couple of subnets
behind that, in which where my laptop resides for testing.

I have setup the routes to that gateway:

route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1

and have setup the correct nat exemption:

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.3.0 255.255.255.0

Ping reply's do get along the cables, however, when setting up a RDP
session, or a HTTP request, I get this in the log:

Deny TCP (no connection) from 192.168.1.59/3389 to 192.168.2.92/3289
flags SYN ACK  on interface inside

Where 192.168.1.59 is the machine I'm RDP'ing to (or http), and
192.168.2.92 is my laptop.

It cannot find a established session in the connection table, which off
course makes sense cause I don't want to NAT that traffic. 

So how do I enable stateful connections....

Asa = 192.168.1.1 (inside)
Other firewall (which perfectly routes, If I change machines to use that
as default gateway) = 192.168.1.2
My laptop subnet = 192.168.2.0/24
ASA version = 8.0(2)
ASDM version = 6.0(2)

I've enable the "Enable traffic trough firewall without address
translation" also.
And I've enabled "Enable traffic between two or more hosts connected to
the same interface"

Anybody a clue?



Thanks in advance,
Maarten Moerman

--
Network Engineer | eBay / Marktplaats.nl Randweg 25 | 8304 AS Emmeloord 
E-mail: mmoerman at ebay.com | Mobile: +31 6 55 1 222 47