?
Solved

Cisco ASA Possible Asymmetric Routing

Posted on 2011-05-07
4
Medium Priority
?
2,033 Views
Last Modified: 2012-05-11
Hi,
I have just setup a cisco ASA with vlan trunking(vlan 4 and 5) between the ASA and a layer 3 switch. As the ASA has a default route point to vlan 5 interface; not sure if that may be the cause of  routing/stateful inspection issue. I have attachd a reference diagram below for reference
ASA ----(vlan 4 and 5 trunk)------layer 3 switch


Not sure, but the flow of traffic looks incorrect; traffic from the internal/inside of the asa have no issues accessing network resources, however traffic from the other vlan 4 have issues; not sure if it may be due to the default route on the asa and that the layer 3 switch is holding both the SVIs?

Traffic may be accessed internally and be natted on vlan 5 without any issues; however traffic to vlan 4 is not accessible.

I was looking at ASA tcp -bypass feature (This is to workaround the directly connected svi instead of a static route)? Not sure which may be the recommended approach/alternate better approach?  

I have attached a running configuration of the asa for reference

Thanks  
ASA.txt
0
Comment
Question by:cwtang
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 2000 total points
ID: 35716607
For hosts in VLAN 4 what is default gateway? Put the ASA as default GW if it is not at the moment.
Why do you need VLAN 4 SVI on L3 switch? Try to remove it and post results.
Is inside interface connected to same L3 switch? If yes, does the inside VLAN also have SVI on L3 switch?

Thanks!
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 35721228
I think your issue is because they are both security level 0, on the same interface.  like this

VLAN 5 ----------------------------->
                                                  ASA interface
VLAN 4 ----------------------------->

To turn traffic around at an interface of the same security level is not allowed by default on an ASA

Try this command

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35721455
Security level is not a problem as you can find in attached config

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


Problem is definitely routing.
Depending of default gateway configuration on hosts, routing between VLAN 4 and VLAN 5 can avoid firewall at all.
0
 

Author Comment

by:cwtang
ID: 35820213
Hi,
Apologies for the late reply. I believe I have come out with the a much simpler solution in the end after several tac session (They are still not able to resolve)/analysis yesterday. All it requires was to perform nating on the ASA and remove the vlan 5 ip address both on the asa and layer 3 switch.

For the above scenario; using vlan trunking will not work as it requires PBR on the ASA which is not supported.

Thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question