YMartin
asked on
Dual ASA 5506-x inter VLAN routing
I have 2 buildings each with their own ISP. They both have ASA 5506Xs. The switches are L2 only and there is no router on site. Both buildings are connected via Fiber and each building is on a separate VLAN.
Currently there is a VPN tunnel between the 2 LANs. I have been asked to attempt to use the ASA to route between the VLANS. There is a great instruction for this in another post and I have the ASA routing traffic between the VLANS (same-security inter and intra interface and the NAT exempt statements)
The problem is that the ASA seems to be blocking replies where it was not aware of the request. For instance an Echo request is allowed through ASA 1 (10.10.10.1) from 10.10.10.10 to 10.20.20.20. 10.20.20.20 sends the reply to its default gatewy (ASA 2 [10.20.20.1]) who is unaware of the echo request and therefore seems to be blocking the echo reply.
My question is first if my assumption is correct as to the cause for the traffic being blocked and second, how to exempt the traffic between VLANS from SPI or otherwise solve this problem.
Currently there is a VPN tunnel between the 2 LANs. I have been asked to attempt to use the ASA to route between the VLANS. There is a great instruction for this in another post and I have the ASA routing traffic between the VLANS (same-security inter and intra interface and the NAT exempt statements)
The problem is that the ASA seems to be blocking replies where it was not aware of the request. For instance an Echo request is allowed through ASA 1 (10.10.10.1) from 10.10.10.10 to 10.20.20.20. 10.20.20.20 sends the reply to its default gatewy (ASA 2 [10.20.20.1]) who is unaware of the echo request and therefore seems to be blocking the echo reply.
My question is first if my assumption is correct as to the cause for the traffic being blocked and second, how to exempt the traffic between VLANS from SPI or otherwise solve this problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Open in new window