https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929682#M24337 <P>If your device has GW setup in the router, the packet will not reach FW for you to work.</P> <P>&nbsp;</P> <P>Do you high-level diagram to understand where your FW and how the router setup, where is users IP / Vlan like to block?</P> Tue, 24 Sep 2019 20:07:39 GMT balaji.bandi 2019-09-24T20:07:39Z https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929566#M24334 <P>Good Day,</P><P>Im currently having an issue where i have my sub interfaces configurated on my router. I also have an ASA5508 that i am using to control traffic. The asa can block traffic between the outside(isp) and inside(internal vlans) with no problem. But if i setup an acl to block traffic between the internal vlans it does not work.</P><P>&nbsp;</P><P>I do not even see the traffic flow between the vlans(server vlan to users vlan) in the asa syslogs.</P><P>&nbsp;</P><P>Can i get some help with this please?</P><P>&nbsp;</P><P>Also my current setup is: my isp is plugged into an interface on the asa, my asa is plugged into an interface on the router and my router is plugged into a trunk port on my switch.</P><P>&nbsp;</P> Tue, 24 Sep 2019 16:40:38 GMT https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929566#M24334 ErrolCash0963 2019-09-24T16:40:38Z https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929570#M24335 <P>VLAN you like to block intervlan blocking, are these interface configured IP address in the FW ? and Devices pointed GW as FW ?</P> <P>&nbsp;</P> <P>if not FW will not aware of that traffic to block.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 24 Sep 2019 16:46:46 GMT https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929570#M24335 balaji.bandi 2019-09-24T16:46:46Z https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929583#M24336 <P>Currently i have the ip address ranges setup as network objects in the FW and i only have the router default gateway set to the FW.</P><P>Do my router subinterfaces need to be setup in the FW as interfaces as well?</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 24 Sep 2019 17:07:43 GMT https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929583#M24336 ErrolCash0963 2019-09-24T17:07:43Z https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929682#M24337 <P>If your device has GW setup in the router, the packet will not reach FW for you to work.</P> <P>&nbsp;</P> <P>Do you high-level diagram to understand where your FW and how the router setup, where is users IP / Vlan like to block?</P> Tue, 24 Sep 2019 20:07:39 GMT https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929682#M24337 balaji.bandi 2019-09-24T20:07:39Z https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929693#M24338 <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Capture.JPG" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/45519iCC36796C099FCC29/image-size/medium?v=v2&amp;px=400" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><P>Please see a high level diagram. My vlans/sub interfaces are setup on the router. There a link going from the router to the follow firewall.</P> Tue, 24 Sep 2019 20:21:00 GMT https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929693#M24338 ErrolCash0963 2019-09-24T20:21:00Z https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929773#M24340 <P>the solution you looking may not work.</P> <P>&nbsp;</P> Tue, 24 Sep 2019 23:38:29 GMT https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929773#M24340 balaji.bandi 2019-09-24T23:38:29Z https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929914#M24342 <P>As you are terminating your Hosts and Servers pointing towards a ROUTER ( Router on a stick configuration ) as a Default Gateway. The traffic between Host VLAN and Server VLAN never hit the ASA, hence ASA can not take action and stop. There are few ways you can control the traffic between HOST and Server VLANs.&nbsp;</P><P>&nbsp;</P><P>You can configure ACLs on the ROUTER (Router on a stick).&nbsp;</P><P>You can change the configuration and setup and make ASA as a default Gateway for HOSTs and Servers and than apply ACLs on ASA.&nbsp;</P><P>&nbsp;</P><P>HTH</P><P>### RATE ALL HELPFUL RESPONSES ###</P> Wed, 25 Sep 2019 07:49:27 GMT https://community.cisco.com/t5/network-security/asa5508-cant-see-block-traffic-between-router-subinterfaces/m-p/3929914#M24342 bhargavdesai 2019-09-25T07:49:27Z