I came across an interesting problem today in dealing with an asymmetrical routing issue with a Cisco ASA. The network is set up as follows:
I encountered the issue when trying to manage the access points and switches across the site-to-site VPN from the management workstation. All devices have their default gateway pointed at the ASA, and the ASA has a route to the remote network via the device handing the site-to-site VPN – in this case a netscreen SSG5 firewall. Ping’s work fine, however when trying to SSH or telnet to the devices a connection is not made.
Breaking down the traffic path, the management traffic is leaving the workstation, being encrypted across the tunnel and then hitting the end device, the return path however is sending traffic to the ASA. I had enabled the command same-security-traffic permit intra-interface on the ASA to permit traffic to pass out the same interface that it comes in, however I still found that I was not getting a response from the device.
After enabling some logging on the ASA it was clear the the ASA was denying the traffic, the following was logged:
%ASA-6-106015: Deny TCP (no connection) from 192.168.1.230/22 to 10.0.1.86/4060 flags SYN ACK on interface inside
The ASA is basically denying the traffic, due to not seeing the initial SYN packet traverse through itself, so it’s being a good stateful firewall. After a bit of googling and head scratching – it doesn’t appear that there is a way to tell the ASA to permit this traffic, so a workaround is in order.
I didn’t fancy adding static routes onto each device to point to the remote network via the SSG, in fact the 1131G access points in question do not support the ability to add an independent route. The solution I came up with was to have the SSG forward traffic via the ASA, forcing the ASA to see the whole conversation and thus permit traffic back across the VPN. This was achieved by adding /32 host routes to each device on the SSG via the ASA.