Routing between interfaces on ASA 5520 - Page 2

birdy1982 · ‎07-11-2012

Hi,

We have an ASA 5520 which is in multiple context mode.

We are trying to pass traffic from the outside interface to the dmz interface.

I may be fundamentally wrong in the way i'm configuring this, but this is one ting im hoping someone may be able to help with. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.

So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28

Inside Interface GigabitEthernet0/2 with 192.168.20.0/24

DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29

So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.

I hope this makes sense? Im sure im doing something stupid, im just stuck, and hoping someone can help.

I can provide more info if required.

Thanks

Birdy

Karsten Iwen · ‎07-17-2012

personally, I wouldn't change my infrastructure just because one feature doesn't work as expected. Better look for the couse of the problem. After changing the MAC-addresses on the ASA, have you tried to clear the arp-cache on the router?

birdy1982 · ‎07-18-2012

Hi,

Having had a look, my configuration doesnt differ much from what was suggested anyway.

Yes i have cleared the arp cache on the router after changing the mac-addresses.

Thanks

Chris

Karsten Iwen · ‎07-17-2012

so from the standpoint of the adjacent router it looks fine with the different MAC-addresses. Please explain what you mean with "locked out of the admin context". What exactly desn't work?

birdy1982 · ‎07-17-2012

Hi,

Thanks for the replies.

I cannot connect on ASDM, SSH or telnet to the .194 address. Nor can i ping etc. So i cant manage the ASA when mac-address auto is applied. (I schedule a reload before i apply this).

So even though the router is showing a different mac-address in it's arp table, the ASA wont accept connections on the admin context and that IP address. I cant thknk of anything in the ASA that i've configured that would block/filter on L2.

Thanks

Chris

Karsten Iwen · ‎07-19-2012

Anything on the Switch between the ASA and the Router?

birdy1982 · ‎07-20-2012

Hi,

Theres no switch between the router and the firewall. If i explain the topology a bit more that might help.

Internet > Cisco 1921 > ASA 5520 > Dell Blade, Poweredge Switch M6348.

The switch has 2 vlans, one for 192.168.20.0/24 network. The other is the DMZ, 1.2.3.208/29

The ASA has 2 contexts, admin, interface Gi0/0 1.2.3.194/29

ctx1 interface Gi0/0 1.2.3.195/28 - nameif outside

Interface G0/1 10.10.10.1/25 - nameif CMC (Management for blades)

Interface Gi0/2 192.168.20.254/24 nameif inside

Interface Gi0/2.1 1.2.3.208/29 nameif DMZ

I was primarily using NAT to reach various servers/management interfaces on the inside an CMC interfaces. Which worked fine, however we needed a publicly addressable space to run a SIP server and possibly some more things to come. Which is where the DMZ came from. However as the admin context and ctx1 share interface Gi0/0 and i need to route part of the public subnet to the DMZ i found i needed to turn on mac-address auto in the system context. This allows the NAT and the DMZ to work, however i cant access the admin context, The arp-cache updates immediately on the router so it sees the change but i just wonder if its something on the ASA that cannot accept traffic on that Mac-address?

Sorry for the long winded explanation, i hope this makes sense.

Thanks

Chris