Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
5
Helpful
6
Replies

ASA5508 cant see block traffic between router subinterfaces

Go to solution
ErrolCash0963
Level 1
Level 1

‎09-24-2019 09:40 AM

Good Day,

Im currently having an issue where i have my sub interfaces configurated on my router. I also have an ASA5508 that i am using to control traffic. The asa can block traffic between the outside(isp) and inside(internal vlans) with no problem. But if i setup an acl to block traffic between the internal vlans it does not work.

 

I do not even see the traffic flow between the vlans(server vlan to users vlan) in the asa syslogs.

 

Can i get some help with this please?

 

Also my current setup is: my isp is plugged into an interface on the asa, my asa is plugged into an interface on the router and my router is plugged into a trunk port on my switch.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bhargavdesai
Spotlight
Spotlight
In response to ErrolCash0963

‎09-25-2019 12:49 AM

As you are terminating your Hosts and Servers pointing towards a ROUTER ( Router on a stick configuration ) as a Default Gateway. The traffic between Host VLAN and Server VLAN never hit the ASA, hence ASA can not take action and stop. There are few ways you can control the traffic between HOST and Server VLANs. 

 

You can configure ACLs on the ROUTER (Router on a stick). 

You can change the configuration and setup and make ASA as a default Gateway for HOSTs and Servers and than apply ACLs on ASA. 

 

HTH

### RATE ALL HELPFUL RESPONSES ###

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-24-2019 09:46 AM

VLAN you like to block intervlan blocking, are these interface configured IP address in the FW ? and Devices pointed GW as FW ?

 

if not FW will not aware of that traffic to block.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ErrolCash0963
Level 1
Level 1
In response to balaji.bandi

‎09-24-2019 10:07 AM

Currently i have the ip address ranges setup as network objects in the FW and i only have the router default gateway set to the FW.

Do my router subinterfaces need to be setup in the FW as interfaces as well?

 

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ErrolCash0963

‎09-24-2019 01:07 PM

If your device has GW setup in the router, the packet will not reach FW for you to work.

 

Do you high-level diagram to understand where your FW and how the router setup, where is users IP / Vlan like to block?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ErrolCash0963
Level 1
Level 1
In response to balaji.bandi

‎09-24-2019 01:21 PM

Capture.JPG

Please see a high level diagram. My vlans/sub interfaces are setup on the router. There a link going from the router to the follow firewall.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ErrolCash0963

‎09-24-2019 04:38 PM

the solution you looking may not work.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
bhargavdesai
Spotlight
Spotlight
In response to ErrolCash0963

‎09-25-2019 12:49 AM

As you are terminating your Hosts and Servers pointing towards a ROUTER ( Router on a stick configuration ) as a Default Gateway. The traffic between Host VLAN and Server VLAN never hit the ASA, hence ASA can not take action and stop. There are few ways you can control the traffic between HOST and Server VLANs. 

 

You can configure ACLs on the ROUTER (Router on a stick). 

You can change the configuration and setup and make ASA as a default Gateway for HOSTs and Servers and than apply ACLs on ASA. 

 

HTH

### RATE ALL HELPFUL RESPONSES ###

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card