cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
772
Views
0
Helpful
4
Replies

ASA 5545 not routing Inside_Network

Drew
Level 1
Level 1

I am unable to route my internal Network through my asa5545. Here is a snapshot starting inside -> out. I have:

4 Trunked Switch -> connected to a Core Sw(which as 2 weight static routes pointing out)-> 2 FW (with F/O) all good here -> connected to 2 KGs(both active)

fw config:

access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside-in extended permit ip any any
access-list inside-in extended permit icmp any any

access-group outside_access_in in interface SDP1
access-group inside-in in interface Inner1
route SDP1 0.0.0.0 0.0.0.0 X.X.X.X 1 track 10
route SDP2 0.0.0.0 0.0.0.0 X.X.X.X 2
route Inner1 X.X.X.0 255.255.255.128 (inside sw ip) 1
route Inner1 X.X.X.129 255.255.255.224 (inside sw ip) 1
route Inner1 X.X.X.159 255.255.255.224 (inside sw ip) 1

 

core Config:

ip route 0.0.0.0 0.0.0.0 (FW inside IP)

network vlan 0

network vlan 129

network vlan 159

Trunk vlan 0

trunk vlan 129

trunk vlan 159

from my core i can ping the PT side of the KG only.  From my FW i can ping to the distant end of the remote KG, all good.  All my switches below the core can only ping the core.   It seems as if FW or KG is not allowing my networks to pass.  I ran a packet-tracer all allow were the results.

Here"s the caveat to this.  If i bypass the ASA and go KG to Core with static pointing all traffic to PT side of KG my network comes up Phones, Users, Servers, all good.   so I know KG is routing.  As soon as I reconfigure to route traffick via Core to FW to KG with the information above its a Nogo.  As i researched I may need a nat(inside,outside)source dynamic interface command to hide my inside traffic behind my outside interface IP.

how will this affect Nat when KGs already do a Nat-T to encrypt and tunnel traffic.

any suggestions is greatly appreciated.

4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

have you run outbound traffic through the packet tracer tool on ASDM?

 

what is the result?

Please remember to rate useful posts, by clicking on the stars below.

No ASDM in use at the moment.  But I did run it on CLI and all the results came back as ALLOWED.  I sourced it from an internal IP.  But I finally found the issue. 

 

We have a pair of nexus trunked off my core. And off that nexus is an mgmt server that forwards our virtural servers through its NIC.  The server is suppose to have 2 NICs IP(d) to both Nexus(s), only 1 was, which happened to be on the standby Nexus.  For some odd reason, routing via the TacLanes it routed traffice ok, but when the connection was moved to the FW it would only route partial traffic.  So i move the active NIC to Nexus 1 and all traffic is now passing.  I will be IP(ing) the other NIC to see if this really was the cause. 

 

Thank you for all the efforts.

Are all devices connected via the core switch or is there a direct link from the KGs to the ASA? It almost sounds like there is either a routing issue on the core (but I see you have a default route in place, but perhaps there is a more specific route overriding the default route?), or you have an issue with asynchronous routing (which is why I asked about the physical connections in the network).  Would help to see diagrams of the physical connections as well as the logical network.

--
Please remember to select a correct answer and rate helpful posts

We have a pair of nexus trunked off my core. And off that nexus is an mgmt server that forwards our virtural servers through its NIC.  The server is suppose to have 2 NICs IP(d) to both Nexus(s), only 1 was, which happened to be on the standby Nexus.  For some odd reason, routing via the TacLanes it routed traffice ok, but when the connection was moved to the FW it would only route partial traffic.  So i move the active NIC to Nexus 1 and all traffic is now passing.  I will be IP(ing) the other NIC to see if this really was the cause. 

 

Thank you for all the efforts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: