Dual ASA 5506-x inter VLAN routing

I have 2 buildings each with their own ISP.  They both have ASA 5506Xs.  The switches are L2 only and there is no router on site.  Both buildings are connected via Fiber and each building is on a separate VLAN.  

Currently there is a VPN tunnel between the 2 LANs.  I have been asked to attempt to use the ASA to route between the VLANS.  There is a great instruction for this in another post and I have the ASA routing traffic between the VLANS (same-security inter and intra interface and the NAT exempt statements)

The problem is that the ASA seems to be blocking replies where it was not aware of the request.  For instance an Echo request is allowed through ASA 1 (10.10.10.1) from 10.10.10.10 to 10.20.20.20.  10.20.20.20 sends the reply to its default gatewy (ASA 2 [10.20.20.1]) who is unaware of the echo request and therefore seems to be blocking the echo reply.

My question is first if my assumption is correct as to the cause for the traffic being blocked and second, how to exempt the traffic between VLANS from SPI or otherwise solve this problem.
LVL 2
YMartinAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

YMartinAuthor Commented:
Found the solution here: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113069-asa-disgi-enai-asdm-00.htmlhttps://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113069-asa-disgi-enai-asdm-00.html

In short copy default global service-policy to outside interface policy and disable global service policy thereby exempting inside interfaces from inspection.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YMartinAuthor Commented:
Discovered only one ASA could communicate on each subnet or it would cause problems with TCP traffic.  Created VLAN 3 and used that to route between ASAs.  Here is the config:

interface GigabitEthernet1/2.3
 vlan 3
 nameif ASA2ASA
 security-level 100
 ip address 10.50.222.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list ASA2ASA_access_in extended permit ip object Building1-LAN object Building2-LAN
nat (inside,ASA2ASA) source static Building1-LAN Building1-LAN destination static Building2-LAN Building2-LAN
access-group ASA2ASA_access_in in interface ASA2ASA
route ASA2ASA 192.168.1.0 255.255.255.0 10.50.222.2 2
class-map outside-class
 match default-inspection-traffic
policy-map outside-policy
 class outside-class
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
service-policy outside-policy interface outside
no service-policy global_policy global

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.