Problem routing between directly connected Subnets w/ ASA-5510
Solution 1
There's a few problems in your question. First, I wouldn't naturally think that I could get to the inside network from the outside network. The ASA is a FIREWALLL not a router. If it did this, it wouldn't be doing its job. A router will do that just fine.
The second major problem is with your route command. You don't need it. You have 2 locally connected networks. The firewall knows how to reach both of them. They are directly connected. Thus, you don't need a route command to tell the firewall what the next hop is.
With that stuff out of the way, let's get to an answer. The ASA requires every network to have a security level attached to it from 0-100. A higher security level will be able to access a lower security level. A lower security level needs explicit access granted to resources at a higher level. So let's start by assigning the proper security levels:
interface ethernet 0/0
nameif outside
security-level 0
ip address 10.19.200.3 255.255.255.0
interface ethernet 0/1
nameif inside
security-level 100
ip address 10.19.4.254 255.255.255.0
Now your inside network is allowed to access your outside network. If you need to allow your outside network to access your inside network, you need to define that in an access-list and assign it to the interface in an access group:
access-list outside_access_in extended permit ip any any
access-group outside_access_in in interface outside
But it's still not working? Probably because you need to define static mappings from one network to the other. Otherwise the firewall doesn't know what to do. Remember, this is a firewall, not a router:
static (inside,outside) 10.19.4.0 10.19.4.0 netmask 255.255.255.0
static (outside,inside) 10.19.200.0 10.19.200.0 netmask 255.255.255.0
That's it...you should have free flow between the 2 interfaces...really defeats the purpose of a firewall, but it seems to be what you want. At least it gives you a starting point and you can restrict traffic from there.
Solution 2
I'm not positive - but there's nothing apparently wrong with your setup - I think the problem is in the tests you are trying to do.
Telling the router to ping one interface with the other as a source address is something I'm not sure would work - it may assume that you mean you want the traffic to leave that interface - in which case it's correct, is has no route to that IP.
Have you tried testing connectivity from external devices, rather than from the router itself?
As long as you don't have some ACLs or NAT in place, and as long as the other devices have appropriate routes to reach this thing, I can't see any reason this isn't just plain old routing...
Related videos on Youtube
45 : 14
10 : 47
13 : 51
03 : 18
14 : 17
Comments
-
ŹV - over 1 year
This is an issue I've been struggling with for quite some time, with a seemingly simple answer (Aren't all IT problems?).
And that is the problem of passing traffic between two directly connected subnets with an ASA
While I'm aware that best practice is to have Internet -> Firewall -> Router, in many cases this isn't possible.
For example, In have an ASA with two interfaces, named OutsideNetwork (10.19.200.3/24) and InternalNetwork (10.19.4.254/24). You'd expect Outside to be able to get to, say, 10.19.4.1, or at LEAST 10.19.4.254, but pinging the interface gives only bad news.
Result of the command: "ping OutsideNetwork 10.19.4.254"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.4.254, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)Naturally, you'd assume that you could add a static route, to no avail.
[ERROR] route Outsidenetwork 10.19.4.0 255.255.255.0 10.19.4.254 1
Cannot add route, connected route existsAt this point, you might gander if its a NAT or Access list problem.
access-list Outsidenetwork_access_in extended permit ip any any
access-list Internalnetwork_access_in extended permit ip any anyThere is no dynamic nat (or static nat for that matter), and Unnatted traffic is permitted.
When I try pinging the above address (10.19.4.254 from Outsidenetwork), I get this error message from level 0 logging (debugging).
Routing failed to locate next hop for icmp from NP Identity Ifc:10.19.200.3/0 to Outsidenetwork:10.19.4.1/0
This led me to set same-security traffic permit, and assigned the same, lesser and greater security numbers between the two interfaces.
Am I overlooking something obvious? Is there a command to set static routes that are classified higher than connected routes?
-
ŹV - over 13 yearsI thought the same thing, but not just the router is affected, all hosts in 10.19.4.1 can communicate with the outside world just fine, just not anything in the subnet of one of the other ASA interfaces. I'm not just using a different IP address instead, but it still confuses the hell out of me.
-
Fergus almost 7 yearsASA security appliance uses both routing table and XLATE tables for routing decisions - Not necessarily a router per se, they do route traffic.
