Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 932
  • Last Modified:

ASA5520 trunking problem

We're moving to a different firewall set and I'm trying to set up a connection from an inside host to a remote server.
The inside host can ping but is getting remote host not reponding error when using browser from the inside of the network.
When I connect a laptop directly into a switchport in the correct vlan outside the firewall I can connect to the http page of the remote server.
I've done packet traces and spanned the connections from the router and confirmed that ACK packets are being sent back from the remote server to the correct NAT'd address on the FW, but ASDM and logs show that the ACKs are not reaching the FW.
I think the problem is to do with the trunking between the ASA and the switch uplinks but from reading all the blurb it looks ok to me.
I do need the trunking to work as additional sub-ints will be coming on line soon, can anyone help?
I've included a diagram, the FW config and some diags from both the swtich and the ASA.
I've had some experience with PIX and ASA but this is the first time I've used trunking and sub-ints on the ASA - what have I done wrong?   EE-Diag.vsd Gateway-FW-Config.txt
  • 2
  • 2
1 Solution
Where is the VLan 903 L3 interface? On the router?
Is the 3rd switch in the middle trunked to the router?
Can you post the config from the switch port that connects to the ASA's ?

Probably need to see the config of the router xx.xx.98.177 also.

So, when you connect to either one of the 2 switches in a vlan 903 port (access port?), with an IP address xx.xx.98.yy, default gateway of xx.xx.98.177, you can then browse xx.xx.10.24 ?
>route Gateway xx.xx.0.0 xx.xx.98.177 1

Also, make sure that this mask is correct to match the server
Try it with a default route:
 route Gateway xx.xx.98.177
NPA_ICTAuthor Commented:
VLAN 903 is just a layer 2 entity. The only L3 VLAN on the swtich set is for mgmt ( and is trunked into ASA5520 (port G0/2)
You're correct in that I can browse to the server from access ports on VLAN 903 on any of the switches, using xx.xx.98.yy.
The 3rd switch isn't trunked to the router, the switchport to the router is just in the same L2 VLAN, namely 903 (see config below) The router only deals with requests to and from the xx.xx.98.176/29 subnet.
I can't get the config of the 98.177 device I'm afraid, it's not ours - though I have been told from the providers that as long as requests come from and to the xx.xx.98.177/29 subnet it should be fine.
I must stress at this point that the solution has been in place for some years, we're just moving our architecture to ASA.

Tried the default route option on the ASA. No joy I'm afraid, ping still working though.
Here is the relevant portion of the switch the FW connects into (G0/22)

interface GigabitEthernet0/22
 description Outside Gateway FW Int g0/0
 switchport trunk allowed vlan 903
 switchport mode trunk

interface Vlan903
 description Gateway VLAN 903
 no ip address
 ip directed-broadcast
 no ip route-cache

Here is the sh int output from G0/22:
GigabitEthernet0/22 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 18ef.6369.6c16 (bia 18ef.6369.6c16)
  Description: Outside Gateway FW Int g0/0
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1031 packets input, 105673 bytes, 0 no buffer
     Received 60 broadcasts (6 multicasts)
     18 runts, 0 giants, 0 throttles
     18 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 6 multicast, 0 pause input
     0 input packets with dribble condition detected
     709082 packets output, 86140620 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

For your understanding, here is the output from the router uplink interface (g0/2)

interface GigabitEthernet0/2
 description Gateway ROuter uplink
 switchport access vlan 903
 speed 10
 duplex full
I really appreciate your help so far. Many Thanks.

NPA_ICTAuthor Commented:
Problem was logged with Cisco and they advised that it was because of the feature set.
ASA software 8.2 has a feature that prevents asymetric routing through the ASA - this is the problem we were having.
For those wanting to, read all about it here: 

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now