topic routing is not configured.So in Network Security

Allow routing for return traffic from ASA

mahesh18 — Tue, 12 Mar 2019 06:16:24 GMT

Hi everyone,

I am trying to fix the routing issue in ASA.

Layer 3 traffic flow

PC-----L3 switch1------int x-------ASA--int y----Layer 3 switch2 --- server

Here traffic flow is allowed from PC to server.

But for return traffic from server to PC via ASA X interface the next hop to L3 switch 1 is not pingable.

L2 traffic flow

L3 switch 1 ------trunk to switch3----------trunk to switch4-----access vlan 510 ------x interface of ASA.

Switch4 port connected to ASA interface x is access port only carrying single vlan.

Need to know in order for ping to work from X interface of ASA to next hop address which is vlan 520 on L3 switch1 what can i do?

Regards

MAhesh

Hi Mahesh, With necessary

mvsheik123 — Thu, 16 Jul 2015 09:23:22 GMT

Hi Mahesh,

With necessary routing configured, try adding 'inspect icmp' on ASA.

Thx

routing is not configured.So

mahesh18 — Thu, 16 Jul 2015 18:25:16 GMT

routing is not configured.

So right now ASA interface connected to switch only allows sigle vlan.

To allow another vlan on the same interface so that routing is enabled should i config port on ASA

as multiple sub interfaces ?

Regards

MAhesh

You can configure

Andre Neethling — Fri, 17 Jul 2015 06:04:39 GMT

You can configure subinterfaces. But IMO it will be better for you to use the layer 3 switch for your inter-vlan routing. Unless you need specific access policies for each VLAN you have. Otherwise, just do your routing on the layer 3 switch. This will take some load off your ASA. You may also need to tune Same-Secutiry level traffic, etc.The ASA also behaves a bit funny when you use it as a client default gateway. So to keep you config simple, I would not do any inter-vlan routing on the ASA.

Hi Andre, How can i use

mahesh18 — Fri, 17 Jul 2015 19:47:06 GMT

Hi Andre,

How can i use layer 3 switch for routing?

Can you please explain me with example what config i need to put on switch and ASA

for inter vlan routing?

Regards

Mahesh

you need to add the command

Marius Gunnerud — Sat, 18 Jul 2015 07:18:25 GMT

you need to add the command ip routing on the L3 switch. Then you will be able to add routing commmands such as the following:

ip route 1.2.3.0 255.255.255.0 11.11.11.1

just replace the 1.2.3.0 with the subnet you are trying to reach, 255.255.255.0 with the actual subnet of the network you are trying to reach, and replace 11.11.11.1 with the next hop IP toward the subnet you are trying to reach.

Please remember to select a correct answer and rate helpful posts

Many thanks

mahesh18 — Tue, 28 Jul 2015 18:21:33 GMT

Many thanks