Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
3
Replies

Cannot Reach other Routed Ports on ASA 5506X

Go to solution
nathanielscriven
Level 1
Level 1

‎06-06-2017 09:47 AM - edited ‎03-12-2019 02:28 AM

I've recently moved my ASA to perform L3 responsibility for SourceFire and removed routing from my Layer3 switch. Enabling same security for interfaces allows inter vlan connectivity to hosts on on other subnets but I find I cannot ping or SSH to those other interfaces. E.G. reaching SSH via VLAN10 from VLAN5.  

I'm not used to being locked into my own connected subnet for management, is this by design or did I miss a step? And if by design is there a process to allow the traffic? I'm not used to the ASA being the Gateway for by subnets, I usually leave that to the L3 switch and just /30 my way up to the edge. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-06-2017 09:54 AM

If you mean ping through the ASA to another interface on the ASA itself then no you can't do that and it is by design.

I believe you can allocate an interface for management and then you can although to be honest I may have got that wrong as it has been a while, so perhaps ask this on the Firewalling forum as well or move this thread there.

Unless it is a small network where you cannot justify a L3 switch I am not a fan of using the ASA for routing between vlans as it just introduces more complications like this unless of course you really do need stateful firewalling between your vlans.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-06-2017 09:54 AM

If you mean ping through the ASA to another interface on the ASA itself then no you can't do that and it is by design.

I believe you can allocate an interface for management and then you can although to be honest I may have got that wrong as it has been a while, so perhaps ask this on the Firewalling forum as well or move this thread there.

Unless it is a small network where you cannot justify a L3 switch I am not a fan of using the ASA for routing between vlans as it just introduces more complications like this unless of course you really do need stateful firewalling between your vlans.

Jon

0 Helpful

Go to solution
nathanielscriven
Level 1
Level 1
In response to Jon Marshall

‎06-06-2017 09:58 AM

Thanks, I moved the thread to Firewalling. I'm usually not a fan of this method either, but the use case for east-west Firepower makes it necessary. 

0 Helpful

Go to solution
nathanielscriven
Level 1
Level 1
In response to Jon Marshall

‎06-07-2017 12:22 PM

The management access command was the solution. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card