08-08-2023 11:55 AM - last edited on 08-10-2023 04:51 AM by Translator
Need help with routing on ASA. Here is the diagram:
I know the design is not great. The load balancer is acting as the L3 for vlan 104, so I ended up with asymmetric routing. DC and Client computers can ping each other, but Client cannot authenticate, unless I put a
static route
on the DC. Is there a way to make it work without a
static route
on the DC?
Solved! Go to Solution.
08-08-2023 01:48 PM - last edited on 08-10-2023 04:54 AM by Translator
I'm assuming that there's a switch between the ASA and LB & DC ?
There are few limits with this setup:
1. by default, ASA doesn't allow traffic entering and exiting the same interface. This can be overcome with the
same-security-traffic permit intra-interface
command, which I assume you've already done since they can ping each other.
2. Traffic from the client will reach the LB, and since the LB and DC are on the same connected subnet (vlan 100, 10.1.100.0/24?) the packet will be sent directly from the LB to the DC. However, since the DC only has a
default route
to the ASA, the return packet will be sent to the ASA.
For icmp & udp, this might work, but for protocols such as TCP you'll have issues with the ASA dropping the reply packet as a non-syn packet and no session establishment.
You might be able to work around with using
NAT
on the LB, but that might probably break other things for client to DC communications.
Or you could enable tcp_bypass on the ASA for this traffic. (https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html)
If you can't redesign this setup, like for example adding a L3 switch/router to use as your default GW instead of the firewall, or changing the LB to be
"on a stick"
, having a
static route
on the DC might be one of your better options.
You have to consider that whatever solution you choose, that it doesn't make the environment too complex from a troubleshooting perspective.
08-08-2023 01:48 PM - last edited on 08-10-2023 04:54 AM by Translator
I'm assuming that there's a switch between the ASA and LB & DC ?
There are few limits with this setup:
1. by default, ASA doesn't allow traffic entering and exiting the same interface. This can be overcome with the
same-security-traffic permit intra-interface
command, which I assume you've already done since they can ping each other.
2. Traffic from the client will reach the LB, and since the LB and DC are on the same connected subnet (vlan 100, 10.1.100.0/24?) the packet will be sent directly from the LB to the DC. However, since the DC only has a
default route
to the ASA, the return packet will be sent to the ASA.
For icmp & udp, this might work, but for protocols such as TCP you'll have issues with the ASA dropping the reply packet as a non-syn packet and no session establishment.
You might be able to work around with using
NAT
on the LB, but that might probably break other things for client to DC communications.
Or you could enable tcp_bypass on the ASA for this traffic. (https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html)
If you can't redesign this setup, like for example adding a L3 switch/router to use as your default GW instead of the firewall, or changing the LB to be
"on a stick"
, having a
static route
on the DC might be one of your better options.
You have to consider that whatever solution you choose, that it doesn't make the environment too complex from a troubleshooting perspective.
08-09-2023 02:54 PM - last edited on 08-10-2023 04:55 AM by Translator
Yeah, changing anything on the LB is not a good option, it would break too many things.
tcp_bypass
did the trick, so the issue is resolved. Thanks a lot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide