[c-nsp] redirect nexthop on ASA 5510
Darryl Dunkin
ddunkin at netos.net
Wed Oct 24 11:10:24 EDT 2007
The flaw here is that your packets are not bi-directionally being passed
through your ASA, so it never sees any TCP session come up as only one
direction of traffic is passing through it.
If your source is 192.168.1.59, and you redirect the packet back to your
LAN via 192.168.1.2, the router at 192.168.1.2 is going to be sending
the reply packets directly to your servers being on the connected
interface. It won't go back the way it came via the firewall as that
wasn't the source.
It may be best to force traffic to go completely through your firewall
by connecting your 192.168.1.2 gateway directly to it via another
physical port if you need this functionality.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Moerman, Maarten
Sent: Wednesday, October 24, 2007 06:39
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] redirect nexthop on ASA 5510
Hi All,
I'm having trouble configuring a ASA5510 to behave as a router that sets
a "redirect next hop".
I've configured the ASA perfectly, VPN is working, NAT is working,
routing SEEMS to be working but does not work for stateful connections.
I have:
Internet -> Cisco 2600 public IP/something --> ASA55110 --> private lan
with servers --> within there another gateway with a couple of subnets
behind that, in which where my laptop resides for testing.
I have setup the routes to that gateway:
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
and have setup the correct nat exemption:
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.3.0 255.255.255.0
Ping reply's do get along the cables, however, when setting up a RDP
session, or a HTTP request, I get this in the log:
Deny TCP (no connection) from 192.168.1.59/3389 to 192.168.2.92/3289
flags SYN ACK on interface inside
Where 192.168.1.59 is the machine I'm RDP'ing to (or http), and
192.168.2.92 is my laptop.
It cannot find a established session in the connection table, which off
course makes sense cause I don't want to NAT that traffic.
So how do I enable stateful connections....
Asa = 192.168.1.1 (inside)
Other firewall (which perfectly routes, If I change machines to use that
as default gateway) = 192.168.1.2
My laptop subnet = 192.168.2.0/24
ASA version = 8.0(2)
ASDM version = 6.0(2)
I've enable the "Enable traffic trough firewall without address
translation" also.
And I've enabled "Enable traffic between two or more hosts connected to
the same interface"
Anybody a clue?
Thanks in advance,
Maarten Moerman
--
Network Engineer | eBay / Marktplaats.nl Randweg 25 | 8304 AS Emmeloord
E-mail: mmoerman at ebay.com | Mobile: +31 6 55 1 222 47
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list