cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


2370
Views
0
Helpful
20
Replies
VIP Mentor

Routing between interfaces on ASA 5520

personally, I wouldn't change my infrastructure just because one feature doesn't work as expected. Better look for the couse of the problem. After changing the MAC-addresses on the ASA, have you tried to clear the arp-cache on the router?

Highlighted
Beginner

Routing between interfaces on ASA 5520

Hi,

Having had a look, my configuration doesnt differ much from what was suggested anyway.

Yes i have cleared the arp cache on the router after changing the mac-addresses.

Thanks

Chris

VIP Mentor

Re: Routing between interfaces on ASA 5520

so from the standpoint of the adjacent router it looks fine with the different MAC-addresses. Please explain what you mean with "locked out of the admin context". What exactly desn't work?

Beginner

Routing between interfaces on ASA 5520

Hi,

Thanks for the replies.

I cannot connect on ASDM, SSH or telnet to the .194 address. Nor can i ping etc. So i cant manage the ASA when mac-address auto is applied. (I schedule a reload before i apply this).

So even though the router is showing a different mac-address in it's arp table, the ASA wont accept connections on the admin context and that IP address. I cant thknk of anything in the ASA that i've configured that would block/filter on L2.

Thanks

Chris

VIP Mentor

Routing between interfaces on ASA 5520

Anything on the Switch between the ASA and the Router?

Beginner

Routing between interfaces on ASA 5520

Hi,

Theres no switch between the router and the firewall. If i explain the topology a bit more that might help.

Internet > Cisco 1921 > ASA 5520 > Dell Blade, Poweredge Switch M6348.

The switch has 2 vlans, one for 192.168.20.0/24 network. The other is the DMZ, 1.2.3.208/29

The ASA has 2 contexts, admin, interface Gi0/0 1.2.3.194/29

ctx1 interface Gi0/0 1.2.3.195/28 - nameif outside

Interface G0/1 10.10.10.1/25 - nameif CMC (Management for blades)

Interface Gi0/2 192.168.20.254/24 nameif inside

Interface Gi0/2.1 1.2.3.208/29 nameif DMZ

I was primarily using NAT to reach various servers/management interfaces on the inside an CMC interfaces. Which worked fine, however we needed a publicly addressable space to run a SIP server and possibly some more things to come. Which is where the DMZ came from. However as the admin context and ctx1 share interface Gi0/0 and i need to route part of the public subnet to the DMZ i found i needed to turn on mac-address auto in the system context. This allows the NAT and the DMZ to work, however i cant access the admin context, The arp-cache updates immediately on the router so it sees the change but i just wonder if its something on the ASA that cannot accept traffic on that Mac-address?

Sorry for the long winded explanation, i hope this makes sense.

Thanks

Chris