Link to home
Start Free TrialLog in
Avatar of YMartin
YMartin

asked on

Dual ASA 5506-x inter VLAN routing

I have 2 buildings each with their own ISP.  They both have ASA 5506Xs.  The switches are L2 only and there is no router on site.  Both buildings are connected via Fiber and each building is on a separate VLAN.  

Currently there is a VPN tunnel between the 2 LANs.  I have been asked to attempt to use the ASA to route between the VLANS.  There is a great instruction for this in another post and I have the ASA routing traffic between the VLANS (same-security inter and intra interface and the NAT exempt statements)

The problem is that the ASA seems to be blocking replies where it was not aware of the request.  For instance an Echo request is allowed through ASA 1 (10.10.10.1) from 10.10.10.10 to 10.20.20.20.  10.20.20.20 sends the reply to its default gatewy (ASA 2 [10.20.20.1]) who is unaware of the echo request and therefore seems to be blocking the echo reply.

My question is first if my assumption is correct as to the cause for the traffic being blocked and second, how to exempt the traffic between VLANS from SPI or otherwise solve this problem.
ASKER CERTIFIED SOLUTION
Avatar of YMartin
YMartin
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of YMartin
YMartin

ASKER

Discovered only one ASA could communicate on each subnet or it would cause problems with TCP traffic.  Created VLAN 3 and used that to route between ASAs.  Here is the config:

interface GigabitEthernet1/2.3
 vlan 3
 nameif ASA2ASA
 security-level 100
 ip address 10.50.222.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list ASA2ASA_access_in extended permit ip object Building1-LAN object Building2-LAN
nat (inside,ASA2ASA) source static Building1-LAN Building1-LAN destination static Building2-LAN Building2-LAN
access-group ASA2ASA_access_in in interface ASA2ASA
route ASA2ASA 192.168.1.0 255.255.255.0 10.50.222.2 2
class-map outside-class
 match default-inspection-traffic
policy-map outside-policy
 class outside-class
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
service-policy outside-policy interface outside
no service-policy global_policy global

Open in new window