Cisco ASA Possible Asymmetric Routing

Hi,
I have just setup a cisco ASA with vlan trunking(vlan 4 and 5) between the ASA and a layer 3 switch. As the ASA has a default route point to vlan 5 interface; not sure if that may be the cause of  routing/stateful inspection issue. I have attachd a reference diagram below for reference
ASA ----(vlan 4 and 5 trunk)------layer 3 switch


Not sure, but the flow of traffic looks incorrect; traffic from the internal/inside of the asa have no issues accessing network resources, however traffic from the other vlan 4 have issues; not sure if it may be due to the default route on the asa and that the layer 3 switch is holding both the SVIs?

Traffic may be accessed internally and be natted on vlan 5 without any issues; however traffic to vlan 4 is not accessible.

I was looking at ASA tcp -bypass feature (This is to workaround the directly connected svi instead of a static route)? Not sure which may be the recommended approach/alternate better approach?  

I have attached a running configuration of the asa for reference

Thanks  
ASA.txt
LVL 1
cwtangAsked:
Who is Participating?
 
FideliusCommented:
For hosts in VLAN 4 what is default gateway? Put the ASA as default GW if it is not at the moment.
Why do you need VLAN 4 SVI on L3 switch? Try to remove it and post results.
Is inside interface connected to same L3 switch? If yes, does the inside VLAN also have SVI on L3 switch?

Thanks!
0
 
Cheever000Commented:
I think your issue is because they are both security level 0, on the same interface.  like this

VLAN 5 ----------------------------->
                                                  ASA interface
VLAN 4 ----------------------------->

To turn traffic around at an interface of the same security level is not allowed by default on an ASA

Try this command

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
0
 
FideliusCommented:
Security level is not a problem as you can find in attached config

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


Problem is definitely routing.
Depending of default gateway configuration on hosts, routing between VLAN 4 and VLAN 5 can avoid firewall at all.
0
 
cwtangAuthor Commented:
Hi,
Apologies for the late reply. I believe I have come out with the a much simpler solution in the end after several tac session (They are still not able to resolve)/analysis yesterday. All it requires was to perform nating on the ASA and remove the vlan 5 ip address both on the asa and layer 3 switch.

For the above scenario; using vlan trunking will not work as it requires PBR on the ASA which is not supported.

Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.