cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1316
Views
5
Helpful
7
Replies

ASA 5512 inside traffic storm

bad_topology.jpg

Hello. I posted an example of "how have not to be" network topology, and unfurtunately I have this topology... Firstly I have to say that my switches are not manageable and don't support VLANs. So, I have 3 internal networks in the SiteA and one network in the Site B. SiteA and SiteB are interconnected via VLAN provided by ISP, also ASA go out to Internet via VLAN provided by ISP. Teoretically any user can set up on his PC Cisco's external IP address and can block access to Internet to all users. But at the moment I can't to do anything, I'm trying to make a good topology.

Now I'l describe my problem with ASA 5512(9.1).

ASA doesn't support more than one IP address per interface, like aliases in linux or Secondary IP address on cisco routers / switches and I've configured one physical interface for every my Internal network - you can see on posted immage. All internal interfaces are connected on internal switch.All my internal interfaces are with security level 100 and external interface with security level 0. The problem is that when I check the box "Enable traffic between two or more interfaces with the same security level" it looks like the switch has a loop, it generates too much traffic and the network goes down also at this time ASA's CPU is high loaded. When I uncheck mentionned option the network starts to work but doesn't allow traffic between internal networks.

1. Why enabling mentioned options on asa makes loop ? The interfaces on ASA are routed interfaces and not switched, right ?

2. How can I enable routing between internal networks when internal interfaces are on the same security level ant the option

"Enable traffic between two or more interfaces with the same security level" is not checked ?