cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1246
Views
5
Helpful
7
Replies

ASA 5512 inside traffic storm

bad_topology.jpg

Hello. I posted an example of "how have not to be" network topology, and unfurtunately I have this topology... Firstly I have to say that my switches are not manageable and don't support VLANs. So, I have 3 internal networks in the SiteA and one network in the Site B. SiteA and SiteB are interconnected via VLAN provided by ISP, also ASA go out to Internet via VLAN provided by ISP. Teoretically any user can set up on his PC Cisco's external IP address and can block access to Internet to all users. But at the moment I can't to do anything, I'm trying to make a good topology.

Now I'l describe my problem with ASA 5512(9.1).

ASA doesn't support more than one IP address per interface, like aliases in linux or Secondary IP address on cisco routers / switches and I've configured one physical interface for every my Internal network - you can see on posted immage. All internal interfaces are connected on internal switch.All my internal interfaces are with security level 100 and external interface with security level 0. The problem is that when I check the box "Enable traffic between two or more interfaces with the same security level" it looks like the switch has a loop, it generates too much traffic and the network goes down also at this time ASA's CPU is high loaded. When I uncheck mentionned option the network starts to work but doesn't allow traffic between internal networks.

1. Why enabling mentioned options on asa makes loop ? The interfaces on ASA are routed interfaces and not switched, right ?

2. How can I enable routing between internal networks when internal interfaces are on the same security level ant the option

"Enable traffic between two or more interfaces with the same security level" is not checked ?

1 Accepted Solution

Accepted Solutions

Hello,

Sure,

No problem.

If you do not have any other query please rate the questions that you think have helped and mark the question as answered.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello.

Allowing that traffic will only be done using that same security command.

Now why would u consider there is a loop in the network and not just a high amount of traffic going between hosts on those interfaces?

I do not see the topology attached.


Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi. I don't know why you don't see the immage, I see it from different hosts and from different browsers.

i consider that there is a loop because all switch interfaces start to blink very often and finnaly the network is down. In the network is not a high amount of traffic, because we have configured an simple mikrotik router with 600Mhz CPU ant configured all subnets IP on single interface and it works perfectly.

Configuring "same security" command in CLI is not the same like "Enable traffic between two or more interfaces with the same security level" in ASDM ? I think this is the same and this creates the problem.

Configuring "same security" command in CLI is not the same like "Enable traffic between two or more interfaces with the same security level" in ASDM ?

Yes, this option is the same as configuring the same-security-traffic permit inter-interface command in the ASDM.

The ASA is not causing a loop, because as you mentioned, the interfaces are routed.  It is most likely that there is a very high amout of traffic that is being sent between the networks.  Perhaps there could be a virus at work here?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

It is most likely that there is a very high amout of traffic that is being sent between the networks.  Perhaps there could be a virus at work here?

I don't think so, because routing internal networks vith a mikrotik router doesn't make any problems. Can enabled proxy arp make this problem in my network topology ?

Hello Alex,

As stated before interfaces are routed no bridged.

If you want to determine what is going on.

Create captures on the ASA interface where the leds start to blink and see what traffic is going on trough the FW.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you for your proposal. I'l implement VLANs there and it will work OK but until implementing VLANs I left the mikrotik to route traffic. I just asked what teoretically can be the problem. I understand tha interfaces are routed and have not to make some loops. Now I don't have physical access to the network to make tests or traffic captures.

Hello,

Sure,

No problem.

If you do not have any other query please rate the questions that you think have helped and mark the question as answered.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card