Go Premium for a chance to win a PS4. Enter to Win


ASA5520 trunking problem

Posted on 2010-09-23
Medium Priority
Last Modified: 2012-06-27
We're moving to a different firewall set and I'm trying to set up a connection from an inside host to a remote server.
The inside host can ping but is getting remote host not reponding error when using browser from the inside of the network.
When I connect a laptop directly into a switchport in the correct vlan outside the firewall I can connect to the http page of the remote server.
I've done packet traces and spanned the connections from the router and confirmed that ACK packets are being sent back from the remote server to the correct NAT'd address on the FW, but ASDM and logs show that the ACKs are not reaching the FW.
I think the problem is to do with the trunking between the ASA and the switch uplinks but from reading all the blurb it looks ok to me.
I do need the trunking to work as additional sub-ints will be coming on line soon, can anyone help?
I've included a diagram, the FW config and some diags from both the swtich and the ASA.
I've had some experience with PIX and ASA but this is the first time I've used trunking and sub-ints on the ASA - what have I done wrong?   EE-Diag.vsd Gateway-FW-Config.txt
Question by:NPA_ICT
  • 2
  • 2
LVL 79

Expert Comment

ID: 33749829
Where is the VLan 903 L3 interface? On the router?
Is the 3rd switch in the middle trunked to the router?
Can you post the config from the switch port that connects to the ASA's ?

Probably need to see the config of the router xx.xx.98.177 also.

So, when you connect to either one of the 2 switches in a vlan 903 port (access port?), with an IP address xx.xx.98.yy, default gateway of xx.xx.98.177, you can then browse xx.xx.10.24 ?
LVL 79

Expert Comment

ID: 33749837
>route Gateway xx.xx.0.0 xx.xx.98.177 1

Also, make sure that this mask is correct to match the server
Try it with a default route:
 route Gateway xx.xx.98.177

Author Comment

ID: 33751758
VLAN 903 is just a layer 2 entity. The only L3 VLAN on the swtich set is for mgmt ( and is trunked into ASA5520 (port G0/2)
You're correct in that I can browse to the server from access ports on VLAN 903 on any of the switches, using xx.xx.98.yy.
The 3rd switch isn't trunked to the router, the switchport to the router is just in the same L2 VLAN, namely 903 (see config below) The router only deals with requests to and from the xx.xx.98.176/29 subnet.
I can't get the config of the 98.177 device I'm afraid, it's not ours - though I have been told from the providers that as long as requests come from and to the xx.xx.98.177/29 subnet it should be fine.
I must stress at this point that the solution has been in place for some years, we're just moving our architecture to ASA.

Tried the default route option on the ASA. No joy I'm afraid, ping still working though.
Here is the relevant portion of the switch the FW connects into (G0/22)

interface GigabitEthernet0/22
 description Outside Gateway FW Int g0/0
 switchport trunk allowed vlan 903
 switchport mode trunk

interface Vlan903
 description Gateway VLAN 903
 no ip address
 ip directed-broadcast
 no ip route-cache

Here is the sh int output from G0/22:
GigabitEthernet0/22 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 18ef.6369.6c16 (bia 18ef.6369.6c16)
  Description: Outside Gateway FW Int g0/0
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1031 packets input, 105673 bytes, 0 no buffer
     Received 60 broadcasts (6 multicasts)
     18 runts, 0 giants, 0 throttles
     18 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 6 multicast, 0 pause input
     0 input packets with dribble condition detected
     709082 packets output, 86140620 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

For your understanding, here is the output from the router uplink interface (g0/2)

interface GigabitEthernet0/2
 description Gateway ROuter uplink
 switchport access vlan 903
 speed 10
 duplex full
I really appreciate your help so far. Many Thanks.


Accepted Solution

NPA_ICT earned 0 total points
ID: 33936830
Problem was logged with Cisco and they advised that it was because of the feature set.
ASA software 8.2 has a feature that prevents asymetric routing through the ASA - this is the problem we were having.
For those wanting to, read all about it here:



Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question