is it possible to allow traffic through an ASA5510 which was not initiated through this firewall but through another one?
Background: We change our external IP-Numbers but don't want to change our internal default route (which links to an ASA5510 (the 'old' one). Our new vpn-traffic comes from the 'new' ASA, and the internal client-pc sends it to the 'old' ASA. There is a route which directs this traffic to the new one. But: I get the error
(within vpn telnet internal_host 22) 'old' ASA as default gateway
%ASA-6-106015: Deny TCP (no connection) from 192.168.XXX.XXX/22 to
192.168.10.1/34625 flags SYN ACK on interface inside
new ext.Router---(new IP-RANGE 91.215.XXX.4)---outside---ASA_02
---internal---192.168.1.129(/24)
The old IP-Range will be closed in the near future. Default internal Gateway is ASA_01, 192.168.1.130 for all our client-PCs.
VPN works through this ASA_01.
Now I install VPN on the ASA_02 and would like to let the old gateway on the client-pcs unchanged. So I thought:
VPN-Traffic from outside -> ASA_02 -> client-PC and back:
-> ASA_01 (default gateway) ASA_01 -> ASA_02 (static Route for the VPN-address-space)
-> new ext.Router-> Internet-> VPN-endpoint
When I ping or telnet through the new VPN, I can see the incoming traffic on the client-pc, but the return path is blocked by the ASA_01 with the error:
%ASA-6-106015: Deny TCP (no connection) from 192.168.1.162/22 to
192.168.10.1/34625 flags (VPN-address) SYN ACK on interface inside %ASA-7-609002: Teardown local-host inside:192.168.1.162 duration 0:00:00 %ASA-7-609002: Teardown local-host inside:192.168.10.1 duration 0:00:00
I understand that the ASA blocks traffic which is not initiated through it, it seems to be a good behaviour for a firewall, but can I make an exception for this route (ASA_01 -> ASA_02 192.168.10.0/24)?
thanks again for any idea you have!
Gerhard
jcle wrote:
we would like to avoid to set a static route in every client-pc, it seems to be smarter to let the old ASA make the routing.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.