U-turn traffic on Cisco ASA

Posted on November 17, 2010

0



On the Cisco ASA Firewall you can redirect the traffic on the incoming interface back to the incoming interface if you want. This feature is from Version 7.2.2 reachable. To demonstrate this feature I made a small test topology with a Cisco ASA Firewall and an internal router.

Topology:

Requirements:

On the Topology the Test PC should reach the 172.16.1.5 host.
The default gateway of the Test PC is the ASA firewall.

The ASA firewall should forward the traffic back on its inside interface to the Inside Router (172.18.2.254) and the Router should send the reply packets to the ASA and not directly to the host. To be able to solve this we need to configure a route map on the router.

ASA configuration:

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 212.10.10.4 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.18.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging console debugging
mtu outside 1500
mtu inside 1500
no failover
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
static (inside,inside) 172.16.1.5 172.16.1.5 netmask 255.255.255.255 norandomseq
route inside 172.16.1.0 255.255.255.0 172.18.2.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

Inside Router configuration:

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.18.2.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip policy route-map test
duplex auto
speed auto
!
interface IDS-Sensor1/0
no ip address
shutdown
hold-queue 60 out
!
ip route 0.0.0.0 0.0.0.0 172.18.2.1
!
ip http server
no ip http secure-server
!
access-list 101 permit ip host 172.16.1.5 172.18.2.0 0.0.0.255
route-map test permit 10
match ip address 101
set ip next-hop 172.18.2.1
!
!
!
control-plane
!
!
!
!
line con 0
line 33
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin mop udptn v120 ssh
line aux 0
line vty 0 4
password cisco
login local
line vty 5 15
login
Advertisements
Posted in: ASA, Cisco, Routing, Security