The Woes of Using an ASA as a Default Gateway

Some people often think of an ASA Security Appliance as a router.  The ASA is a firewall.  As a firewall, the ASA does not always forward traffic or behave as we would expect (if we expect it to behave like a router).  This can have ramifications if we place it in a network and expect it to route traffic to arbitrary interfaces based on the routing table.  Actually the route table has lower priority in the routing process than that translation table (XLATEs).

ASA Egress Interface Selection

To get perspective on where this is relevant, let’s take a look at a real world example.  This network below has a temporary need to route traffic to a third party network.  A more robust routing solution could be placed where the ASA firewall is positioned.  In my opinion, the ASA is superior solution to Internet firewalling as compared to a router doing CBAC.  So I wouldn’t want to use a router instead of an ASA here.  If there were no financial restrictions, we could simply place a router behind the ASA.  The final option is to try to get the ASA to behave as a router.  That’s the solution that we’ll talk about in this article.

Requirements:

  • Hosts Must Use 10.1.1.100 as their Gateway
  • ASA Must Direct Traffic Destined to 100.1.1.0/24 to 10.1.1.200
  • ASA Must Perform PAT (NAT Overload) for traffic going to the Internet
  • No STATICs or ACL for inbound traffic

 

At first glance, this seems really simple. We’ve all done this with routers, so we just need the ASA equivalent of–“ip route 100.1.1.0 255.255.255.0 10.1.1.200”. Right? That should be easy. Let’s just go ahead and configure up our ASA for PAT and then add the static route.

interface ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.100 255.255.255.0
!
interface ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0

!

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!

route outside 0.0.0.0 0.0.0.0 66.49.27.153
route inside 100.1.1.0 255.255.255.0 10.1.1.200

Well that was easy, but does it work?  When you try to ping something on 100.1.1.0/24 from a host that is using the ASA as a default gateway, you will find that it fails.  You’ve seen that before, right?  Remember, we always have to turn on icmp inspection on ASA’s.  The shortcut for that is:

fixup protocol icmp

Great, but it still doesn’t work.  Then it hits you.  The ASA is a product that came from the PIX firewall.  The PIX, if you recall, will never forward a packet out the same interface it was received on.  But the ASA was supposed to allow this with a strange command.

same-security-traffic permit intra-interface

That’s still not too bad, if that was all you actually had to do.  Unfortunately it still doesn’t seem to work.  Maybe we better take a look at how the ASA is processing our ICMP echo.  We can issue a command like “packet-tracer input inside icmp 10.1.1.50 0 0 100.1.1.20”.  That will show us all of the steps that the ASA goes through when processing the packet.  What you will find is that the ASA is actually trying to do NAT and there is a missing global statement for the inside interface.  But we don’t really want to do NAT for traffic to or from our third party network.  So we need to write a NAT exemption rule and test our connectivity once again.

access-list NONAT extended permit ip any 100.1.1.0 255.255.255.0
//return traffic shouldn’t hit the ASA, but in any case we never
//want to create an XLATE for the traffic in either direction
access-list NONAT extended permit ip 100.1.1.0 255.255.255.0 any

nat (inside) 0 access-list NONAT

Now let’s ping something in 100.1.1.0/24 from one of our hosts again.  Success!  It should be working at this point, but we’re not done yet.  Try using the TCP protocol to reach something at 100.1.1.0/24.  If you look at this in Wireshark, you’ll probably see something like SYN, SYN-ACK, ACK, RST or SYN, SYN-ACK, ACK, ACT (Retrans), ACK (Retrans).  What is going on?  The ASA is actually trying to create a session for the TCP connection.  It is actually inspecting the TCP traffic.  Since the router delivers the second part of the three-way handshake directly to the host, the ASA never sees the “SYN-ACK”.  Therefore, the ASA doesn’t believe the three-way handshake has occurred and does not allow the third packet.  Well that just sucks.  The ASA is trying to sessionize traffic that doesn’t even go through the appliance.  What to do?

ASA OS 8.2 introduced a feature called TCP State Bypass.  That allows the ASA to pass traffic without validating the TCP state.  The configuration of that uses the modular policy framework (MPF).

access-list STATEBYPASS extended permit ip any 100.1.1.0 255.255.255.0

//the ASA will probably never see traffic sourced from 100.1.1.0/24, but just in case
access-list STATEBYPASS extended permit ip 100.1.1.0 255.255.255.0 any

!

class-map STATEBYPASS
match access-list STATEBYPASS
policy-map STATEBYPASS
class STATEBYPASS
set connection advanced-options tcp-state-bypass
!
service-policy STATEBYPASS interface inside

Now a test using TCP from one of the hosts to something on 100.1.1.0/24 should succeed.  What else should we do?  Anytime I am doing  anything strange with NAT on the ASA, I disable proxy-arp.  This case shouldn’t require it, but I have had cases where the ASA responds to ARPs that it shouldn’t and it’s really hard to track down.  So for good measure, I would add the following command.

sysopt noproxyarp inside

The final configuration looks something like the following:

interface ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.100 255.255.255.0
!
interface ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0

!

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0
!

global (outside) 1 interface

!

route outside 0.0.0.0 0.0.0.0 1.1.1.2
route inside 100.1.1.0 255.255.255.0 10.1.1.200

!

access-list NONAT extended permit ip any 100.1.1.0 255.255.255.0
access-list NONAT extended permit ip 100.1.1.0 255.255.255.0 any

!

access-list STATEBYPASS extended permit ip any 100.1.1.0 255.255.255.0

access-list STATEBYPASS extended permit ip 100.1.1.0 255.255.255.0 any

!

same-security-interface permit intra-interface

!

class-map STATEBYPASS
match access-list STATEBYPASS
policy-map STATEBYPASS
class STATEBYPASS
set connection advanced-options tcp-state-bypass
!
service-policy STATEBYPASS interface inside

!

sysopt noproxyarp inside

In conclusion, the ASA is not a router.  However going through the exercise of making it behave like one can help you understand some of the logic and processing order of the firewall appliance.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in CCIE Security, Certification, Security, Technology and tagged , , . Bookmark the permalink.

86 Responses to The Woes of Using an ASA as a Default Gateway

  1. Rich J says:

    Fantastic, spent hours trying to get the gateway asa to talk to our internal asa for ipsec tunnels and pass traffic,

    a thousand thanks to you sir

    • It certainly doesn’t behave as you’d expect in this environment. At least how you’d expect before you experiment with it. Thanks for your comment.

      • Roderick Tubig says:

        Hi Paul, I’m new to networking and would like to ask you some questions about the issue I have in setting up ASA 55100 basically just a DHCP server and NAT / PAT. The setup I’m trying to complete is to be able to provide Internet connectivity to our the users in our local network using a single public IP address using the said ASA. I have already done some configuration but was unable to make it work.

        I have an ASA 5510 with factory default configuration still loaded.
        I configured the inside and outside interfaces and the default route plus the dhcp.

        Right now, what I have is this after I’ve done the configuration:
        1) I was able to get an IP address from the ASA as the dhcp server. I can ping the inside IP address of the ASA from the PC.

        2) From within the console of ASA, i tried pinging one of the IP addresses of http://www.yahoo.com and I was successful. I believe this tells me that the outside interface has been configured properly, correct?

        3) But when I try to access the Internet from the PC, I was unable to do so. Is there a problem with my NAT / routing? Please advise.

        Thank you in advance.
        Rod

  2. Greg D. says:

    Thank you so much! I’ve been trying to figure this out for months.

  3. Dale Daniels says:

    Hi Paul.
    Thanks for a great article which resolved my migration issues with an internal static route. Seeing the config changes in full was a complete help. Regards Dale

  4. Rohan says:

    And I thought I knew ASAs. This is a whole new level of understanding ASAs. Thanks a lot!!

  5. Mashti says:

    Hi Paul,

    Thanks for this great article.
    I have other problem, maybe you help me. I am not ASA aware.
    My problem is, I created IPSec Remote VPN Client access on ASA 5505 (ver. 8.3).
    LAN Network: 10.10.0.0 255.255.0.0, GW:10.10.0.10
    ASA inside interface: 10.10.0.20 255.255.0.0
    ASA outside interface: X.X.X.179 255.255.255.240
    VPN Pool: 192.168.0.0 255.255.255.0
    VPN Client can connect to ASA withot problem, but cannot access LAN (no ping, no host name resolution).
    We use GW 10.10.0.10 for all Hosts in LAN (It is a Software firewall + proxy server)
    Please help me and let me know, how can to solve problem?
    Thanks
    Regards

    • Is there anything that routes back out through the ASA? For example, does the proxy point to the ASA. I would try to get to something that has a route back out through the ASA. That will at least tell you if your VPN configuration is correct. Then you can go from there.

    • Also keep in mind that if there are any routers in path, they need to steer 192.168.0.X traffic toward your ASA.

      • Mahti says:

        Thanks Pausl for your fast answer.
        I forgot say, I added just a route for prxoy server. Also all traffic from 192.168.0.x forward to ASA 10.10.0.20.
        But problem not solved.
        We have just switch and not routers.
        Aha, VPN clients can ping just GW 10.10.0.10.
        If I change GW on LAN Clients to ASA 10.10.0.20, ping is ok, but we will not change GW.
        Also, we use ASA just for VPN server and we will not LAN clients use ASA for internet access.

      • Whatever your clients use as their gw somehow needs to have a route to 192.168.0.0/24. If this is the proxy server, I don’t know what it’s routing capabilities are. It might be as simple as using ‘route add’ from the cmd prompt. If it was an IOS router, you could simply add a static route. Another, less than optimal, option exists if the hosts are on the same subnet as the ASA. This option is to keep the gw set as is and use the ‘route add’ to add 192.168.0.0/24->ASA IP for any host that needs to be accessed over the VPN.

  6. Rich J says:

    Hi, follow up from my initial comment:

    We got it set-up and is working fine :) however
    it is not allowing PPTP through to our internal RAS server,
    no VPN clients can get through.

    Also, we have an internal cisco 5510 that has our IPsec tunnels to our external sites, we have a static route on our gateway 5510 pointing to this, but it seems to be dropping different types of traffic such as SVN.

    Oh dear..

    Any ideas?

    • Rich, I will say that PPTP is a bit problematic due to the fact that it uses TCP/23 in addition to IP/47. IPSec has similar secondary channels. Assuming that SYN’s are being dropped, this scenario actually sounds more like it may be an asymmetric routing issue. This can be problematic with firewalls.

      My struggle is fully visualizing your topology. I would recommend that you create a simple topological drawing with the components you listed and upload it somewhere. The Cisco Learning Network allows image uploads and is monitored by many professionals and experts. I monitor this site, but sometimes don’t respond in a timely manner. If you post it CLN–https://learningnetwork.cisco.com/threads, you can get more eyes on it. If you do post an image somewhere, make sure you let me know by posting a link in this thread.

  7. MAshti says:

    Thanks again Paul.
    I test your suggestion and say you result.
    But other question. We have Cisco Catalyst 3xxx Layer 3 switches in LAN.
    Can I add this route 192.168.0.0/24->ASA IP on Cisco switches and not on all Hosts?

    • Absolutely, assuming 2 things. First that the outbound packets are routed by the L3 switches. The second requirement is that the Catalyst have a L3 interface that is directly connected from a L3 perspective. So basically this should work if your L3 switch has an interface that is on the ASAs LAN subnet.

      • Mashti says:

        You are Awesome.
        I can test on Friday and tell you result, but I am sure ASA inside interface connected directly to L3 switch port.

        Thanks

      • Let me clarify my terminology. Being directly connected to a physical port of an L3 switch doesn’t necessarily constitute a directly connected L3 connection. What I mean is if your ASA is on a 10.10.0.X address, you would also need a 10.10.0.X interface on the switch. The switch should be able to directly ARP for the IP address of the ASA. Additionally, the switch would need to have “ip routing” enabled and be in the L3 path of the egress packets. I think you understood this, but I can see that I left some room for ambiguity.

  8. Mashti says:

    Hi Paul,
    First thanks for your great free support.
    I understood exactly, what you mean. I just wanted to tell you, all Switches in our Network are L3.
    Now, problem with your suggestion is solved.
    Thanks again

  9. kogmo says:

    thank you Paul, this solution worked well for me. i got a L3 switch connected to the ASA firewall. The static route is pointing to the L3 Switch. I spent several hours figuring out this but once i found this post of yours things got smooth. tks u are the man

  10. LoganIX77 says:

    Thanks a ton Paul! We recently added a cable modem to alleviate some of the conjestion on our T1/MPLS, this was cheaper then say dropping in a DS3. Since we’re not hosting a data center here a DS3 would have been a hard cost to justify. I wanted to use an ASA 5510 that was collecting dust in a closet here to segment/firewall the cable modem from the rest of our network, almost idenitcal to your topography above, but what a “WOE” it was. Everything looked fine and I could get pings to traverse but couldn’t figure out why it wasn’t working. Thank you so much for this post and a better understanding of what was going on behind the scenes on the ASA that was causing it not to work.

  11. Christopher Navarrp says:

    Sir Paul, may i ask your opinion sir since i had a problem regarding ASA5512x wherein the internal LAN (some PCs) are having intermittent connection to the ASA (gateway) there is no specific duration but the affected PCs are disconnecting and while clearing the arp table of the asa, their connection re-established. and Its very frustrating to clear the arp table of ASA every time there is someone loosing ASA as its gateway (they cant ping the ASA) at one time. either I’ll clear the arp table of the ASA or they will wait for quite sometime then their connectivity re-established.

    thanks.
    Chris

    • Paul Stewart says:

      That is very strange. I would probably do a few things. First, I would check the arp cache on the pc and ASA. See if there is something else that is finding its way into the arp cache. In that case, track down that MAC address and figure out why. I’d also fire up Wireshark and get a trace going. If something is sending an invalid or incorrect arp, track that device down and figure out why. If the ASA isn’t sending an arp request or updating its cache when it should, I’d probably open a TAC case.

      • Christopher Navarro says:

        Thanks sir for the reply, I’m already frustrated on this since when I re-terminated the network to Juniper netscreen-25, connection goes well, i mean stable but when I re-connected the ASA and remove juniper on the line, some PCs (mostly Win XPs) are getting intermittent connectivity in random, lossing its default gateway (ASA) does loosing internet connection as well.

        anyways sir thanks for the advise and your time.

      • Paul Stewart says:

        I’d be willing to bet that something is doing something strange with proxy arp. That creates some really intermittent and strange issues.

    • Brian says:

      we had similar issues on a 5512x that we are using as a gateway. We disabled Proxy Arp and its now working as intended.

  12. Leon. says:

    Thanks for the wonderful insight. I tried to use the examples here but its not working in my case. I have a router between my ASA and the Internet. The ASA uses the private IP of the router LAN interface as its outside IP and does NAT for it inside Hosts. I can’t get packets from the router (Router has multiple LAN interfaces) to the host in the inside of the ASA.

    The inside ASA host pings anything on the router, but i just can’t get to the ASA inside host from the router.

    Please any help will be appreciated as this ASA is wack !!!!!!

    • You have a very interesting case from a “how does the ASA work” perspective. I wouldn’t recommend something like that in production. I have a couple of things you might want to think about, but I haven’t labbed your particular scenario.

      1. You are doing NAT on a stick with the ASA and I’m not sure that is supported. I also don’t know how state bypass would work because the session isn’t created. So what does it do with the return traffic.

      2. How do you get the return traffic from the router to the ASA. You might do this with PBR or something, but the ASA has to see traffic in both directions for the NAT to work.

      3. If the ASA sees traffic in both directions, TCP state bypass may not be required.

      Again, a very unique and interesting scenario. I’d like to lab it up sometime as a challenge, but I wouldn’t implement something like that in production for various reasons.

  13. Jon Hartman says:

    Each time I see a topology like this that uses host subnets as transit networks instead of segmenting it with a layer 3 device, a different interface on the firewall, or at least a VRF, I die a little inside. :(

  14. Jordan Crow says:

    Paul,

    On your requirements, you put:
    No STATICs or ACL for inbound traffic

    Does this mean that I can not have SMTP traffic coming and pointing to an internal mail server with this type of config?

    I am getting ready to turn MPLS up and will need to use this type of configuration since I do not have routers on site, only 5510’s. If this is not the way you would set it up (with the ASA’s), how would you set it up?

    • I would think of “Requirements” as business or customer requirements. I used that as a starting point. The config you describe can work. In your case, you might not have the issues I outlined. If you aren’t hair-pinning, all traffic that uses the ASA flows in one interface and out the other. In that case, you won’t find these issues.

      The issue I described is an ugly configuration. But it is a good example to demonstrate tcp state bypass and how the ASA processes flows.

      • Jordan Crow says:

        I appreciate it. I have an MPLS route on the inside of the ASA interface, and need to figure out how to route traffic only for a particular subnet to the MPLS router. It is ugly, but I have to wait until next year’s budget takes effect so I can get a layer 3 switch in place.

      • Yuk. That is exactly what I did for a car dealer, then decided to write this article. It can work, but it surely sucks. And to your original question, you could have an SMTP server with a STATIC/ACL as required.

  15. shawn says:

    Nice tutorial Paul. just brilliant

  16. shawn says:

    Morning Paul i have a question hope you can be of assistant to me.
    what would be the best setup for a asa 5505 between a metro ethernet and my lan

  17. lyf says:

    can u send me ur email so that i send u my configuration to help me….Thanx in advance Paul Stewart.

  18. Anthony R. says:

    Thanks for the clear instructions! I worked with a Cisco TAC engineer on this issue and he broke my LAN! I had to SSH through the WAN interface and revert the changes he made. ugh. So this worked like a charm. One question to complicate matters…. Can we QoS the traffic going to the secondary gateway? :-)

  19. pashaei says:

    Love your article since I hopelessly searching for a solution for my problem and didn’t find anything helpful. my ASA 5510 has an outside interface with private IP address (192.168.x.x/24). my ISP routed a single valid IP address toward my ASA. what I need is using this IP address for teleworkers to terminate anyconnect VPNs but I don’t know where should I set this valid IP address. any idea?

    • Paul Stewart, CCIE 26009 (Security) says:

      I cannot think of a way to make that work. I have never seen an ASA VPN config that worked with anything other than the IP address on the interface that faces the client. You could probably use a loopback if it was a router instead of an ASA. But I prefer an ASA.

      • The only thought I have would be to get the ISP to NAT the interface out to a public IP. That should work.

      • pashaei says:

        Thank you Paul. I have a 2811 in front of ASA and already did NAT but the problem is (which I don’t know where it is from) anyconnect client got disconnected sometimes. I though maybe TLS+DTLS tunnels aren’t NAT friendly. any Idea?

      • Paul Stewart, CCIE 26009 (Security) says:

        I would expect it to work through NAT without issue. I don’t know why it would disconnect.

  20. I could freaking kiss you! I was seriously losing hair over this issue, and there already isn’t much left up there. TCP State Bypass was the missing link for me. Thanks for creating this article!

  21. Simon Enna Wesche says:

    Although I knew most of the information in advance, this article is truly the best, simplest and most logical explanation and walk-through of this very topic, that I have ever come across. I am very impressed. Well done, and thanks for taking the time – something I always mean to do, but never get round to :)

  22. Andy Moon says:

    Paul,

    Thanks for this, the hair that i hadn’t pulled out yet very grateful !!!

  23. Anthony G says:

    Paul,

    I implement your solution few month ago and it’s work fine, thank you, but i have a problem when i surf the net through a Citrix session from wyse client. After exactly five minutes of surfing, the session becomes unusable with massive lags.

    If i bypass the ASA by putting the gateway of my thin client on the router of third party network, it works.

    Any idea of which timeout can cause this problem ?

  24. onnig says:

    Hi Paul,

    I tried your steps but it did not seem to work for me. My ASA is acting as an internet router with two publicly routed addresses. My ISP has given me a /30 and a /29 that I can use. If I choose to use the /29 then I have to use a router in-between their router and my WAN switch. Since we have no routers available with two ethernet interfaces I had to use our ASA. I tried setting up the /29 as the inside and the /30 as the outside and vice versa. I can ping out to the internet via the /30 which is the subnet for the next hop at my ISP’s router that is directly connected to the ASA interface. The /29 is connected to the WAN switch. I’m not sure if this is a NAT/PAT issue or a TCP state bypass issue, or something else. Thanks for your help.

    – Onnig

  25. onnig says:

    It works now, thanks for the help. The problem was fixed using your walkthrough, adjusting for my environment, and properly testing (that was my oversight).

    – Onnig

  26. Hi Paul
    Your article saved my life but I face a specific issue. DNS requests in 53/udp are not passing, 53/tcp it works with your trick. Did you have experienced the same issue?

  27. Frank Fallon says:

    Hi Paul – I saw your “The Woes of Using an ASA as a Default Gateway” article and felt the situation to be very similar to mine. Unfortunately you use 8.2 NAT commands that do not work on my ASA 5505, which is at ASA Version 9.2(1).

    If I give you a glimpse of my setup, perhaps you would be able to suggest either NAT rules on the ASA or static routes on a Windows 2012 VM Server or RRAS software router.

    Here goes:

    On the 192.168.1.31 Subnet
    ++++++++++++++++++++++
    These 2 subnets are involved in my question: 192.168.1.0/24 and 192.168.15.0/24
    Cisco ASA 5505 is at Static IP 192.168.1.31
    DCROUT02 is an Windows 2012 VM RRAS router with 2 virtual NIC cards: 192.168.15.33 on the Inside and 192.168.1.33 on the Outside (and the Gateway of the Outside NIC is 192.168.1.31).
    I can ping from any member server on the 192.168.15.0 subnet over to 192.168.2.0

    On the 192.168.2.31 Subnet
    ++++++++++++++++++++++
    This 2 subnets are involved in my question: 192.168.2.0/24 and 192.168.16.0/24
    Cisco ASA 5505 is at Static IP 192.168.2.31

    I can ping from 192.168.2.0 subnet over to 192.168.1.33 (the DCROUT02 router on the 192.168.1.0 subnet on the other side of the Site-to-Site VPN) (as shown with TRACERT), but I cannot reach 192.168.15.33 on the Inside NIC of the DCROUT02 router.

    Will it be possible to accomplish this goal without purchasing additional VLAN’s for the ASA 5505? Are there static ROUTE statements that could be put in place on the 192.168.2.4 Windows 2012 server or on the 192.168.2.31 Cisco ASA 5505 or on the 192.168.1.31 Cisco ASA 5505 that would allow traffic to reach the 192.168.15.0 subnet on the other side of the Site-to-Site VPN Link?

    Thank you so much for your time – Frank

  28. Ahmad Ekmail says:

    Thank you very much Paul Stewart

  29. ltlnetworker says:

    Why would you want to route 100.1.1.0/24 behind a router if this is the same as the connected subnet? Is it a RAVPN pool?

    • Very small SMB environment runs into stuff like this all of the time. The diagram shows a single router to a third party with 100.1.1.0/24. The ASA is the only layer 3 device in the environment (not really ideal, but this is what we sometimes find). So the only real option we have is to use the ASA as the GW for the clients. So think about what the ASA sees. Client to server on 100.1.1.0/24 (syn, seen by ASA), Server to client (syn,ack not seen by ASA), client to server (ack, seen by ASA but is unexpected since ASA didn’t see the syn,ack). This is the corner case that we are trying to solve here. The other option is to use a static route on the hosts to send traffic destined to 100.1.1.0/24 to the router (which is out of your control) or use the router as the GW and ask the provider to put a default route in it that point toward ASA.

  30. ltlnetworker says:

    Asymmetry topic is clear for me. But I still can’t see why you don’t use two different subnets for local hosts and remote hosts behind the router.

    • I’m not completely sure I’m following you here. I guess what I would call the subnet for the local hosts is 10.1.1.0/24 and what I would call the subnet for “remote hosts behind the router” is 100.1.1.0/24. So I actually am using two different subnets for those two networks. Maybe you are asking about having a L3 connection between the ASA and router. That would also be a viable way to solve the asymmetry (but may or may not be viable given unrealistic constraints in a customer network).

  31. ltlnetworker says:

    My bad (-:
    Seemed identical for me

  32. Keith says:

    Love the article. Exactly what I needed!

    But… I have another ‘wrench’ in this scenario… On the other network (3rd party in your drawing), those stations have their own internet and access it through a 2nd ASA as the default router within their network. How can I get inter-office traffic to work from both sides while maintaining the ASA’s as the internet gateways at both sites?

    I’ve applied above configs to both ASA routers (with proper network routes / excludes), and can’t seem to get pings through from machine to machine. I can oddly enough pull up some local sites through by IP address, but DNS times out (as DNS is on the main network and would be access through the opposite ASA / router side network (3rd party again)).

    Any advice / guidance? I can send a drawing … Driving me crazy for a few days now.. :(

    • That’s very interesting and definitely a lot of complexity. Configuring both sides lid I demonstrated should make it work (assuming all the other components are correct). I’d probably try to decrease the complexity by getting a router as the gw for my end devices. Alternatively, you might connect the routers into another interface on the ASA’s. Traffic that has to bounce off a single ASA interface creates some interesting challenges. Definitely feel your pain (sometimes ideal designs in smaller networks lose out to cost savings).

      • Keith says:

        I was originally going to just use the ASAs, but got caught with needing the plus license for the extra vlans… so I grabbed a couple of routers for that exact purpose

        I have 2 RV320’s available (these are relatively small offices) and am using the one currently as the connecting router. I see that if I configure a device on the remote side manually to just use the router as the Default Gateway, I can ping and browse everything perfectly. Just seems to be an issue with the return path when using the remote ASA as the default gateway on remote devices…

  33. The Rug says:

    Massive thank you for this article – I have been racking my brain to get this problem resolved. Just one point – your ‘No NAT’ configuration needs updating since NAT was significantly changed from ASA software version 8.3 onwards.
    Thanks again!

  34. New networking guy says:

    I need to set up this Cisco ASA 5505 as a firewall for our network . I have a 20 Mbs connection to the switch and i want to see if it will handle the data flow. i am new to this and hope I am making sense.Thank you.

  35. Greg says:

    Hi Paul,

    The above setting are for asa pre 8.3 but what would be equivalent for asa post 8.3.
    I have the exact same problem you are showing above but have the problem of translating your pre 8.3 setting to post 8.3.

    Would you be so kind and show the same solution but for asa post 8.4 please

  36. Pingback: Hairpinning traffic through ASA with State Bypass - PacketU

  37. Faisal says:

    Hi Paul,
    Thanks for above solution, but below command is not working. It think its a new IOS that the reason.

    nat (inside) 0 access-list NONAT
    ERROR: This syntax of nat command has been deprecated.
    Please refer to “help nat” command for more details.

  38. Seth says:

    Hey Paul, this is an old post I realize, but maybe you might be reading still….if so, I kinda think that what you have in this post, may be what I need to fix my issue.

    My company has a ASA 5510 in place. I have created a VPN Full tunnel for my iPhone. Phone connects, traffic is passed. So hairpinning is working.
    As long as the app or website is being accessed using the IP address, things work.
    But if you use Chrome or Safari it will not work. The DNS lookup is just not happening.

    Now the weird thing is that I have a PIX 515E here next to me I use for testing and I can get it to work as it should. I try to migrate those commands from the PIX to the ASA and it does not work at all.

    I have tried creating a DNS Inspect map, but that hasn’t helped…..
    Running out of ideas to try. It should work.
    It’s hard to really see what is happening in the log, since all the traffic is being passed on the outside interface, not to much shows up.

    Thank you for any thoughts or ideas you may have.

      • Seth says:

        Not sure I understand what you mean.
        I don’t really need the iPhone to connect to any internal stuff…
        So I have the IPSec policy set up to use Google’s DNS Servers.

      • There used to be some issues with iOS devices and .local TLDs. Based on your next comment, I don’t think this is your issue.

      • Seth says:

        This is what my config on my ASA looks like in reference to this tunnel:

        access-list Outside_access_in extended permit ip VPNMobile 255.255.255.0 any
        access-list Outside_access_in extended permit ip any VPNMobile 255.255.255.0
        !
        access-list Inside_access_in extended permit ip any RemoteVPN 255.255.255.0
        !
        global (Outside) 10 interface
        nat (Outside) 0 access-list Outside_nat0_outbound
        nat (Outside) 10 VPNMobile 255.255.255.0
        nat (Inside) 0 access-list Inside_nat0_outbound
        nat (Inside) 10 0.0.0.0 0.0.0.0
        access-group Outside_access_in in interface Outside
        access-group Inside_access_in in interface Inside
        !
        group-policy iPhone internal
        group-policy iPhone attributes
        dns-server value 8.8.8.8 8.8.4.4
        vpn-tunnel-protocol IPSec
        default-domain value my_domain
        !
        tunnel-group iPhone type remote-access
        tunnel-group iPhone general-attributes
        address-pool VPNMobile
        tunnel-group iPhone ipsec-attributes
        pre-shared-key my_psk
        !
        class-map inspection_default
        match default-inspection-traffic
        !
        !
        policy-map type inspect dns MY_DNS_INSPECT_MAP
        parameters
        message-length maximum 512
        policy-map global_policy
        class inspection_default
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect rsh
        inspect rtsp
        inspect esmtp
        inspect sqlnet
        inspect skinny
        inspect sunrpc
        inspect xdmcp
        inspect sip
        inspect netbios
        inspect tftp
        inspect dns MY_DNS_INSPECT_MAP
        inspect icmp
        policy-map type inspect dns migrated_dns_map_1
        parameters
        message-length maximum 512
        !
        service-policy global_policy global

      • Nothing stands out to me as an issue in your configuration.

      • Seth says:

        I was thinking of maybe trying this:
        access-list tcp_bypass extended permit tcp 192.168.1.0 255.255.255.224 any

        access-list tcp_bypass extended permit tcp any 192.168.1.0 255.255.255.224

        class-map tcp_bypass

        description “TCP traffic that bypasses stateful firewall”

        match access-list tcp_bypass

        policy-map tcp_bypass_policy

        class tcp_bypass

        set connection advanced-options tcp-state-bypass

        service-policy tcp_bypass_policy outside

        Do you think that would help??
        It seems to be getting hung up on the outside interface, but it is hard to tell cause logging doesn’t really show to much information since all the traffic is occuring on the outside interface.
        And I don’t know of a way to watch the traffic from a VPN Client.

      • The traffic shouldn’t be impacted by TCP state or TCP state bypass. DNS is mostly UDP. I would try to get a packet capture on the outside interface to know exactly what you are dealing with. You might also try to use a full pc as a remote access client for more flexibility in testing. It seems like it is a process of narrowing things down. Since it is working correctly for a 515E with a similar configuration, you have to be almost completely there.

        You do have “sysopt permit connection-vpn” and “same-security-traffic permit intra-interface” configred correct? Sorry don’t have a lot of time to lab up your config and make sure there’s not some default that is catching us unaware.

      • Seth says:

        I have
        sysopt connection tcpmss 0
        What does the sysopt permit connection-vpn do?

        Yes the:
        same-security-traffic permit inter-interface
        same-security-traffic permit intra-interface
        Commands are enabled.

      • sysopt permit connection-vpn —

        ^-This allows any traffic that is encrypted/authenticated/tunnelled to bypass the inbound ACL. Seems that you have a rule that would allow it anyway. Basically this is a bypass for tunnelled traffic. I don’t think this is your issue, and it might show up if you do “show run all”.

      • Seth says:

        I tried that command
        On 8.2 it is:: sysopt connection permit-vpn
        Didn’t work.
        Results still the same.

      • Seth says:

        So question.
        On the IPSec policy….what about Nat-T and Route Reverse Injection.
        How would they work in a situation like hairpinning?

      • Seth says:

        I was able to get it figured out.
        Working as it should now. :)

  39. Seth says:

    I have
    sysopt connection tcpmss 0
    What does the sysopt permit connection-vpn do?

    Yes the:
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Commands are enabled.

Leave a Reply