07-15-2015 09:59 PM - edited 03-11-2019 11:16 PM
Hi everyone,
I am trying to fix the routing issue in ASA.
Layer 3 traffic flow
PC-----L3 switch1------int x-------ASA--int y----Layer 3 switch2 --- server
Here traffic flow is allowed from PC to server.
But for return traffic from server to PC via ASA X interface the next hop to L3 switch 1 is not pingable.
L2 traffic flow
L3 switch 1 ------trunk to switch3----------trunk to switch4-----access vlan 510 ------x interface of ASA.
Switch4 port connected to ASA interface x is access port only carrying single vlan.
Need to know in order for ping to work from X interface of ASA to next hop address which is vlan 520 on L3 switch1 what can i do?
Regards
MAhesh
Solved! Go to Solution.
07-16-2015 11:04 PM
You can configure subinterfaces. But IMO it will be better for you to use the layer 3 switch for your inter-vlan routing. Unless you need specific access policies for each VLAN you have. Otherwise, just do your routing on the layer 3 switch. This will take some load off your ASA. You may also need to tune Same-Secutiry level traffic, etc.The ASA also behaves a bit funny when you use it as a client default gateway. So to keep you config simple, I would not do any inter-vlan routing on the ASA.
07-18-2015 12:18 AM
you need to add the command ip routing on the L3 switch. Then you will be able to add routing commmands such as the following:
ip route 1.2.3.0 255.255.255.0 11.11.11.1
just replace the 1.2.3.0 with the subnet you are trying to reach, 255.255.255.0 with the actual subnet of the network you are trying to reach, and replace 11.11.11.1 with the next hop IP toward the subnet you are trying to reach.
--
Please remember to select a correct answer and rate helpful posts
07-16-2015 02:23 AM
Hi Mahesh,
With necessary routing configured, try adding 'inspect icmp' on ASA.
Thx
MS
07-16-2015 11:25 AM
routing is not configured.
So right now ASA interface connected to switch only allows sigle vlan.
To allow another vlan on the same interface so that routing is enabled should i config port on ASA
as multiple sub interfaces ?
Regards
MAhesh
07-16-2015 11:04 PM
You can configure subinterfaces. But IMO it will be better for you to use the layer 3 switch for your inter-vlan routing. Unless you need specific access policies for each VLAN you have. Otherwise, just do your routing on the layer 3 switch. This will take some load off your ASA. You may also need to tune Same-Secutiry level traffic, etc.The ASA also behaves a bit funny when you use it as a client default gateway. So to keep you config simple, I would not do any inter-vlan routing on the ASA.
07-17-2015 12:47 PM
Hi Andre,
How can i use layer 3 switch for routing?
Can you please explain me with example what config i need to put on switch and ASA
for inter vlan routing?
Regards
Mahesh
07-18-2015 12:18 AM
you need to add the command ip routing on the L3 switch. Then you will be able to add routing commmands such as the following:
ip route 1.2.3.0 255.255.255.0 11.11.11.1
just replace the 1.2.3.0 with the subnet you are trying to reach, 255.255.255.0 with the actual subnet of the network you are trying to reach, and replace 11.11.11.1 with the next hop IP toward the subnet you are trying to reach.
--
Please remember to select a correct answer and rate helpful posts
07-28-2015 11:21 AM
Many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide