• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 197
  • Last Modified:

Dual ASA 5506-x inter VLAN routing

I have 2 buildings each with their own ISP.  They both have ASA 5506Xs.  The switches are L2 only and there is no router on site.  Both buildings are connected via Fiber and each building is on a separate VLAN.  

Currently there is a VPN tunnel between the 2 LANs.  I have been asked to attempt to use the ASA to route between the VLANS.  There is a great instruction for this in another post and I have the ASA routing traffic between the VLANS (same-security inter and intra interface and the NAT exempt statements)

The problem is that the ASA seems to be blocking replies where it was not aware of the request.  For instance an Echo request is allowed through ASA 1 ( from to sends the reply to its default gatewy (ASA 2 []) who is unaware of the echo request and therefore seems to be blocking the echo reply.

My question is first if my assumption is correct as to the cause for the traffic being blocked and second, how to exempt the traffic between VLANS from SPI or otherwise solve this problem.
  • 2
1 Solution
YMartinAuthor Commented:
Found the solution here: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113069-asa-disgi-enai-asdm-00.htmlhttps://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113069-asa-disgi-enai-asdm-00.html

In short copy default global service-policy to outside interface policy and disable global service policy thereby exempting inside interfaces from inspection.
YMartinAuthor Commented:
Discovered only one ASA could communicate on each subnet or it would cause problems with TCP traffic.  Created VLAN 3 and used that to route between ASAs.  Here is the config:

interface GigabitEthernet1/2.3
 vlan 3
 nameif ASA2ASA
 security-level 100
 ip address
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list ASA2ASA_access_in extended permit ip object Building1-LAN object Building2-LAN
nat (inside,ASA2ASA) source static Building1-LAN Building1-LAN destination static Building2-LAN Building2-LAN
access-group ASA2ASA_access_in in interface ASA2ASA
route ASA2ASA 2
class-map outside-class
 match default-inspection-traffic
policy-map outside-policy
 class outside-class
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
service-policy outside-policy interface outside
no service-policy global_policy global

Open in new window

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now