Solved: Allow routing for return traffic from ASA

mahesh18 · ‎07-15-2015

Hi everyone,

I am trying to fix the routing issue in ASA.

Layer 3 traffic flow

PC-----L3 switch1------int x-------ASA--int y----Layer 3 switch2 --- server

Here traffic flow is allowed from PC to server.

But for return traffic from server to PC via ASA X interface the next hop to L3 switch 1 is not pingable.

L2 traffic flow

L3 switch 1 ------trunk to switch3----------trunk to switch4-----access vlan 510 ------x interface of ASA.

Switch4 port connected to ASA interface x is access port only carrying single vlan.

Need to know in order for ping to work from X interface of ASA to next hop address which is vlan 520 on L3 switch1 what can i do?

Regards

MAhesh

Andre Neethling · ‎07-16-2015

You can configure subinterfaces. But IMO it will be better for you to use the layer 3 switch for your inter-vlan routing. Unless you need specific access policies for each VLAN you have. Otherwise, just do your routing on the layer 3 switch. This will take some load off your ASA. You may also need to tune Same-Secutiry level traffic, etc.The ASA also behaves a bit funny when you use it as a client default gateway. So to keep you config simple, I would not do any inter-vlan routing on the ASA.

View solution in original post

Marius Gunnerud · ‎07-18-2015

you need to add the command ip routing on the L3 switch. Then you will be able to add routing commmands such as the following:

ip route 1.2.3.0 255.255.255.0 11.11.11.1

just replace the 1.2.3.0 with the subnet you are trying to reach, 255.255.255.0 with the actual subnet of the network you are trying to reach, and replace 11.11.11.1 with the next hop IP toward the subnet you are trying to reach.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

mvsheik123 · ‎07-16-2015

Hi Mahesh,

With necessary routing configured, try adding 'inspect icmp' on ASA.

Thx

MS

mahesh18 · ‎07-16-2015

routing is not configured.

So right now ASA interface connected to switch only allows sigle vlan.

To allow another vlan on the same interface so that routing is enabled should i config port on ASA

as multiple sub interfaces ?

Regards

MAhesh

Andre Neethling · ‎07-16-2015

You can configure subinterfaces. But IMO it will be better for you to use the layer 3 switch for your inter-vlan routing. Unless you need specific access policies for each VLAN you have. Otherwise, just do your routing on the layer 3 switch. This will take some load off your ASA. You may also need to tune Same-Secutiry level traffic, etc.The ASA also behaves a bit funny when you use it as a client default gateway. So to keep you config simple, I would not do any inter-vlan routing on the ASA.

mahesh18 · ‎07-17-2015

Hi Andre,

How can i use layer 3 switch for routing?

Can you please explain me with example what config i need to put on switch and ASA

for inter vlan routing?

Regards

Mahesh

Marius Gunnerud · ‎07-18-2015

you need to add the command ip routing on the L3 switch. Then you will be able to add routing commmands such as the following:

ip route 1.2.3.0 255.255.255.0 11.11.11.1

just replace the 1.2.3.0 with the subnet you are trying to reach, 255.255.255.0 with the actual subnet of the network you are trying to reach, and replace 11.11.11.1 with the next hop IP toward the subnet you are trying to reach.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎07-28-2015

Many thanks