Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2383
Views
5
Helpful
2
Replies

Routing to internal subnets from ASA 5510

Go to solution
david
Level 1
Level 1

‎05-18-2012 10:18 AM - edited ‎03-11-2019 04:08 PM

Having trouble with a couple items.  First of all, should I be able to ping the inside interface of the ASA from all internal subnets assuming all of these subnets/vlans are directly connected to the same L3 switch?  I can ping the ASA inside interface from our L3 switch, but I cannot ping the inside interface from a host on a different internal subnet.  I have setup static routing on the ASA [

route inside 10.10.96.0 255.255.248.0 10.30.1.1 1]

and verified that I can ping the host [10.10.96.212] from the ASA inside interface [10.30.1.5].  The inside interface is on the 10.30.1.x/24 subnet.  My host is on the 10.10.96.x/21 subnet.  From the ASA I can ping 10.10.96.212, but I cannot ping 10.30.1.5 from 10.10.96.212.  I can however ping 10.30.1.1 from 10.10.96.212.

This leads to my next issue, which is trying to setup the ASA to work concurrently with our current firewall.  I'm doing this in order to transition to the ASA.  I'd much prefer to cutover inbound NAT a little at a time vs. doing it all at once.  Our current firewall is setup at 10.30.1.2 and this is the default route on our L3 switch (0.0.0.0 0.0.0.0 10.30.1.2).  So my question is, if I setup an inbound NAT to one of our web servers on the 10.10.96.x subnet, will I be able to get it to route back to the ASA as opposed to ending up in asymmetric routing hell since the default route points back to our other firewall? 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to david

‎05-18-2012 08:34 PM

Hello,

Yes it is expected, It was a  routing issue...

Next time you have an issue like that you can run a packet-tracer and create a ASP capture ( this capture will usually show you the reason of why the packets are being dropped by the ASA)

Regards,

Let me know if you have any other question if not please mark the question as answered so future users can learn

from this topic.

Julio

Cisco Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

2 Replies 2

Go to solution
david
Level 1
Level 1

‎05-18-2012 01:11 PM

Solved the ping issue.  The management interface had an IP address on the same subnet 10.10.96.5, which for some reason was causing pings from 10.10.96.x to the inside interface to fail. When I disabled the management interface, pings started working.  Is this normal behavior?   

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to david

‎05-18-2012 08:34 PM

Hello,

Yes it is expected, It was a  routing issue...

Next time you have an issue like that you can run a packet-tracer and create a ASP capture ( this capture will usually show you the reason of why the packets are being dropped by the ASA)

Regards,

Let me know if you have any other question if not please mark the question as answered so future users can learn

from this topic.

Julio

Cisco Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card