Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
2
Replies

ASA routing

Go to solution
michael151
Level 1
Level 1

‎08-08-2023 11:55 AM - last edited on ‎08-10-2023 04:51 AM by Community Manager

Need help with routing on ASA. Here is the diagram:

2023-08-08_14-43-53.png

I know the design is not great. The load balancer is acting as the L3 for vlan 104, so I ended up with asymmetric routing. DC and Client computers can ping each other, but Client cannot authenticate, unless I put a

static route

on the DC. Is there a way to make it work without a

static route

on the DC?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎08-08-2023 01:48 PM - last edited on ‎08-10-2023 04:54 AM by Community Manager

I'm assuming that there's a switch between the ASA and LB & DC ?
There are few limits with this setup:

1. by default, ASA doesn't allow traffic entering and exiting the same interface. This can be overcome with the

same-security-traffic permit intra-interface

command, which I assume you've already done since they can ping each other.

2. Traffic from the client will reach the LB, and since the LB and DC are on the same connected subnet (vlan 100, 10.1.100.0/24?) the packet will be sent directly from the LB to the DC. However, since the DC only has a

default route

to the ASA, the return packet will be sent to the ASA.
For icmp & udp, this might work, but for protocols such as TCP you'll have issues with the ASA dropping the reply packet as a non-syn packet and no session establishment.

You might be able to work around with using

NAT

on the LB, but that might probably break other things for client to DC communications.
Or you could enable tcp_bypass on the ASA for this traffic. (https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html)

If you can't redesign this setup, like for example adding a L3 switch/router to use as your default GW instead of the firewall, or changing the LB to be

"on a stick"

,  having a

static route

on the DC might be one of your better options.
You have to consider that whatever solution you choose, that it doesn't make the environment too complex from a troubleshooting perspective.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎08-08-2023 01:48 PM - last edited on ‎08-10-2023 04:54 AM by Community Manager

I'm assuming that there's a switch between the ASA and LB & DC ?
There are few limits with this setup:

1. by default, ASA doesn't allow traffic entering and exiting the same interface. This can be overcome with the

same-security-traffic permit intra-interface

command, which I assume you've already done since they can ping each other.

2. Traffic from the client will reach the LB, and since the LB and DC are on the same connected subnet (vlan 100, 10.1.100.0/24?) the packet will be sent directly from the LB to the DC. However, since the DC only has a

default route

to the ASA, the return packet will be sent to the ASA.
For icmp & udp, this might work, but for protocols such as TCP you'll have issues with the ASA dropping the reply packet as a non-syn packet and no session establishment.

You might be able to work around with using

NAT

on the LB, but that might probably break other things for client to DC communications.
Or you could enable tcp_bypass on the ASA for this traffic. (https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html)

If you can't redesign this setup, like for example adding a L3 switch/router to use as your default GW instead of the firewall, or changing the LB to be

"on a stick"

,  having a

static route

on the DC might be one of your better options.
You have to consider that whatever solution you choose, that it doesn't make the environment too complex from a troubleshooting perspective.

 

0 Helpful

Go to solution
michael151
Level 1
Level 1
In response to Jonatan Jonasson

‎08-09-2023 02:54 PM - last edited on ‎08-10-2023 04:55 AM by Community Manager

Yeah, changing anything on the LB is not a good option, it would break too many things.

tcp_bypass

did the trick, so the issue is resolved. Thanks a lot!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card