Cisco ASA Possible Asymmetric Routing

Posted on 2011-05-07
Last Modified: 2012-05-11
I have just setup a cisco ASA with vlan trunking(vlan 4 and 5) between the ASA and a layer 3 switch. As the ASA has a default route point to vlan 5 interface; not sure if that may be the cause of  routing/stateful inspection issue. I have attachd a reference diagram below for reference
ASA ----(vlan 4 and 5 trunk)------layer 3 switch

Not sure, but the flow of traffic looks incorrect; traffic from the internal/inside of the asa have no issues accessing network resources, however traffic from the other vlan 4 have issues; not sure if it may be due to the default route on the asa and that the layer 3 switch is holding both the SVIs?

Traffic may be accessed internally and be natted on vlan 5 without any issues; however traffic to vlan 4 is not accessible.

I was looking at ASA tcp -bypass feature (This is to workaround the directly connected svi instead of a static route)? Not sure which may be the recommended approach/alternate better approach?  

I have attached a running configuration of the asa for reference

Question by:cwtang
    LVL 12

    Accepted Solution

    For hosts in VLAN 4 what is default gateway? Put the ASA as default GW if it is not at the moment.
    Why do you need VLAN 4 SVI on L3 switch? Try to remove it and post results.
    Is inside interface connected to same L3 switch? If yes, does the inside VLAN also have SVI on L3 switch?

    LVL 9

    Expert Comment

    I think your issue is because they are both security level 0, on the same interface.  like this

    VLAN 5 ----------------------------->
                                                      ASA interface
    VLAN 4 ----------------------------->

    To turn traffic around at an interface of the same security level is not allowed by default on an ASA

    Try this command

    same-security-traffic permit intra-interface
    LVL 12

    Expert Comment

    Security level is not a problem as you can find in attached config

    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface

    Problem is definitely routing.
    Depending of default gateway configuration on hosts, routing between VLAN 4 and VLAN 5 can avoid firewall at all.

    Author Comment

    Apologies for the late reply. I believe I have come out with the a much simpler solution in the end after several tac session (They are still not able to resolve)/analysis yesterday. All it requires was to perform nating on the ASA and remove the vlan 5 ip address both on the asa and layer 3 switch.

    For the above scenario; using vlan trunking will not work as it requires PBR on the ASA which is not supported.


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now