![]() Server 172.16.0.10 trying to connect to ASA mgmt interface 192.168.1.1 Now how does the reply from DMZ server to 192.168.1.10 flow? Can it be routed thru inside interface of ASA? Traffic enters Firewall thru inside interface of ASA and then to DMZ server. With this setup can both of my servers be able to communicate with the DMZ server? I have defined the mgmt interfact gi0/7 as management only and also static route on the firewall for local segment. Please refer the attached updated network diagram in the post, as you can see there are two servers pointing to 元 switch as gateway. There is something wrong with the forum site, I could not see the posts after posting, they appear after several hours. Thank you and apologies for multiple posts on the same subject. I have never tried this, but i guess it should work. With this you would also be able to connect to Management through the same subnet(in this, switch would not perform translation when going to management interface). configure NAT on Switch for 192.168.1.x natted to Inside vlan ip when it try to get out through inside interface so that ASA would think that it received a packet with source ip of inside subnet and sends the reply packet to switch through inside interface and switch would untranslate it back to 192.168.1.x ip. Also ASA 172.16 subnet route is configured on ASA for Inside, then do not allow it to access management. Example configure 192.168.1.x to connect to management interface and configure another subnet 192.168.3.x for your server communication to dmz server. Therefore, Connect management interface through subnet which is not allowed to go out through Inside interface. In your case you are connecting to two different interfaces(management and inside) from the same subnet so ASA gets confused everytime ASA has to send a reply packets. Also you need to restrict the subnet to enter or connect to asa through only one interface(or else it would create asymetric routing). In that case you need to restrict the subnet which could have the management interface access. ASA itself identifies that as connected route. You do not need to explicitly configure a route for directly connected subnet. You need to have a route on ASA for subnet 172.16.x.x subnet through management interface for return traffic as gateway pointing towards 元 switch 192.168.1.3 IP(then again check that the route is not present through inside interface also or else again it would create asymetric routing). I believe this 172 subnet is not configured on ASA interfaces. ![]() However you realy wish to make it work(it is a asymetric routing scenario) then you could try implementing TCP statebypass(usually not recommanded).Ĭase 2: Your 元 switch would perform Intervlan routing for your management subnet and 172.16.x.x subnet. So they would not be able to communicate. ![]() As interface inside of connection doesn't match with route management, ASA would drop the connection. ASA now would compare the Connection created and the route on ASA. Both of your servers would be able to communicate with your DMZ servers.Ĭase 1 : Return traffic would not be routed through Inside Interface as the Mgmt interface is configured with 192.168.1.x subnet.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |