Inter VLAN Communication on Cisco ASA

smithdw1
smithdw1 used Ask the Experts™
on
I have split Internet traffic between 2 providers based on internal VLANs.  Some VLANs I have going out through ISP 1, while others I have going out ISP 2.  I have attached a quick network diagram of how I have the network setup.  The Internet portion is working great, however, it doesn't appear that devices on one VLAN can fully talk to devices on another.  Pinging devices from VLAN 1 to VLAN 7 works as does pinging from VLAN 7 to VLAN 1.  The DHCP server that is in VLAN 1 is successfully handing out addresses to VLAN 7.  RDP, Fileshares, and all other services I have tried will not traverse across VLANs.  VLAN 7 was an existing VLAN before splitting the Internet and all services were working as expected before adding the ASA firewall and changing the 10.249 network's default gateway to be the ASA's 10.249.0.3 interface.  Details:

VLAN 1:  10.1.0.0 /16
GW:  10.1.1.252
Uses ISP 1 for Internet

VLAN 7:  10.249.0.0 /16
GW: 10.249.0.3
Uses ISP 2 for Internet

There is a route in the 10.1.1.252 router that points all 10.249 traffic to 10.1.8.15.  As a test, I circumvented this by adding a route statement to a host on VLAN 1 to point all 10.249 traffic to 10.1.0.5 (the VLAN 1 interface of the ASA).  Unfortunately, inter VLAN communication was still not fully functioning.  I am new to the ASA, so my guess is that it is a simple config error on the firewall, but I don't know enough about the device to troubleshoot further.  I have attached the config for 10.1.8.15 (HP Procurve layer 3 switch) and the ASA 5515-x.  Thanks for the help.
NetworkDiagram.JPG
ASAConfig.txt
ProcurveConfig.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
You are running into asymmetric routing, and possibly also a NAT/same-security-traffic situation.

Consider traffic in both directions. If Vlan 7 devices have a default gateway of the ASA, when they go to talk to vlan 1, they first pass it off to the ASA since it's the default gateway. Assuming that the ASA has the routing in place and rules that allow traffic to pass, it will then pass this traffic off to the next hop, which in your case it has a local interface on vlan 1 so it will go directly to the destination device. On the reverse side of this, when vlan 1 devices send traffic back to vlan 7, they use the default gateway of their L3 switch, and the L3 switch immediately routes it directly to the vlan 7 device since it has that vlan configured locally. This means that traffic goes through the ASA one direction, but not the other. ASA's don't care for this behavior.

Depending on your needs, one of the easiest solutions is to remove the vlan 7 IP address from the L3 switch(es), setup a route to the vlan 7 subnet pointed at the ASA on the L3 switches, and then traffic will be forced to use the ASA both directions. From there it is just a matter of ensuring that the ASA allows traffic to pass. This would be where the NAT/same-security-traffic comes into play.

Author

Commented:
Thanks for the reply.  The 10.1.1.252 router is managed by a third party, so I submitted a ticket to have the route changed from 10.1.8.15 to 10.1.0.5 for the 10.249 network.  I am hopeful the asymmetric routing you indicate will be cleared up by this change.  I will give it  a test as soon as the change is made and report back.  Thanks again.

Author

Commented:
Once the route on 10.1.1.252 was modified, traffic seems to be flowing as expected.  Thanks for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial