Static Routes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Static Routes

L1 Bithead

We have a Cisco ASA that has tunnels to our branch offices.  An Example is 192.168.9.0/24.  The local network is 192.168.10.0/24.  The lan port of the ASA is 192.168.10.10.  The lan port of the Palo Alto is 192.168.10.1.  When I change the gateway to one of the servers to use the Palo, it can ping a host on the 192.168.9.x network and the remote network can ping it.  I have a static route in the Palo that points all traffic destined for 192.168.9.x to hit the ASA.  When I try to RDP into the server from teh remote network it fails.  I can go to the command prompt of the server and type "route add 192.168.9.0 mask 255.255.0 192.168.10.10" and everything works fine.  So my question is, why does it not work pushing the routes via the Palo to the server?

 

****I can go from the server to the remote subnet fine.

2 REPLIES 2

Cyber Elite
Cyber Elite
Routing appears to be fine, but ping is a stateless protocol so will work by simply following the routes
TCP is stateful so requires a little more "logic"
Since the firewall is routing back inside, the packet will retain it's original source IP when increasing the tunnel, causing the remote server to reply back to the original client. This causes the asa to forward the reply packet directly to the client. The client will then send another packet to the firewall, this is where "things go wrong"

The firewall requires statefull sessions for it to apply TCP sanity, build a session and scan for all kinds of interesting metrics. Since the reply from the server never touched the firewall, the TCP handshake is left half open, which is a bad state (sun floods work like this too), so the firewall will want to close this session as soon as possible, breaking your connection

To resolve this, the ASA would either need to be moved into a DMZ, so normal routing through the firewall is achieved, or U-Turn NAT needs to be applied, setting source nat to the firewalls internal ip, so reply packets from the server are forced to the firewall first so it can complete its session creation steps

Please check out this article https://live.paloaltonetworks.com/t5/Tutorials/How-to-Configure-U-Turn-NAT/ta-p/65081
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for the detailed information.  I did have that setup and it seems to work one way (if I take it out, it will not reach the branch)  But it will not reverse and we are thinking it has to do with the ASA.  So for now, I think we are going to add the routes in the servers.  But eventually we will move the tunnels over to the Palo and it will fix it for good.  Again, thanks for your insight.  

  • 2127 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!