06-06-2017 09:47 AM - edited 03-12-2019 02:28 AM
I've recently moved my ASA to perform L3 responsibility for SourceFire and removed routing from my Layer3 switch. Enabling same security for interfaces allows inter vlan connectivity to hosts on on other subnets but I find I cannot ping or SSH to those other interfaces. E.G. reaching SSH via VLAN10 from VLAN5.
I'm not used to being locked into my own connected subnet for management, is this by design or did I miss a step? And if by design is there a process to allow the traffic? I'm not used to the ASA being the Gateway for by subnets, I usually leave that to the L3 switch and just /30 my way up to the edge.
Solved! Go to Solution.
06-06-2017 09:54 AM
If you mean ping through the ASA to another interface on the ASA itself then no you can't do that and it is by design.
I believe you can allocate an interface for management and then you can although to be honest I may have got that wrong as it has been a while, so perhaps ask this on the Firewalling forum as well or move this thread there.
Unless it is a small network where you cannot justify a L3 switch I am not a fan of using the ASA for routing between vlans as it just introduces more complications like this unless of course you really do need stateful firewalling between your vlans.
Jon
06-06-2017 09:54 AM
If you mean ping through the ASA to another interface on the ASA itself then no you can't do that and it is by design.
I believe you can allocate an interface for management and then you can although to be honest I may have got that wrong as it has been a while, so perhaps ask this on the Firewalling forum as well or move this thread there.
Unless it is a small network where you cannot justify a L3 switch I am not a fan of using the ASA for routing between vlans as it just introduces more complications like this unless of course you really do need stateful firewalling between your vlans.
Jon
06-06-2017 09:58 AM
Thanks, I moved the thread to Firewalling. I'm usually not a fan of this method either, but the use case for east-west Firepower makes it necessary.
06-07-2017 12:22 PM
The management access command was the solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide