Showing results for 
Search instead for 
Did you mean: 


Cannot route leased line traffic from third interface to LAN


    I'm new to the community and hoping someone can shed some light on my issue. I have a leased line coming in to connect two sites,  Right now I have an ASA 5508-X that I'm preparing to use for one site. 

    The sites are set up as follows: SiteA, SiteB SiteC and SiteD


SiteC and SiteD are both connected to SiteB via a Site-To-Site VPN connection. SiteA and SiteB will have the leased line between them. I am working on the ASA for SiteA.


The issue I seem to have is I cannot ping traffic from the inside interface to the SiteC network. I can, (Or at least I could) ping from the leased line interface to SiteC.


Ultimately I'd like to get SiteA to access all the other sites. Here's my config so far:

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address
interface GigabitEthernet1/3
nameif LeasedLine
security-level 0
ip address
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
interface Management1/1
nameif mgmt
security-level 0
ip address
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
object network SiteB
object network LEASE-LeasedLine-GW
description LEASE LeasedLine GATEWAY
object network SiteC
description SiteC-NETWORK
object network SiteD
description Core Office
object network inside-network
access-list alert-interval 3600
access-list LeasedLine_access_in extended permit ip any any
access-list global_access extended permit ip object inside-network any
access-list global_access extended permit ip object SiteB object inside-network
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu LeasedLine 1500
mtu mgmt 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (LeasedLine,inside) source static SiteB SiteB destination static inside-network inside-network no-proxy-arp
nat (inside,LeasedLine) source static inside-network inside-network destination static SiteB SiteB no-proxy-arp
nat (inside,outside) after-auto source dynamic any interface
access-group LeasedLine_access_in in interface LeasedLine
access-group global_access global
route outside 1
route LeasedLine 1
route LeasedLine 1
route LeasedLine 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http inside
http inside
http mgmt
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-access-policy-record DfltAccessPolicy
username admin password
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable



Thanks for any input.

Ajay Saini
Rising star




You can not  source the traffic from inside interface of ASA A and ping across any other interface. This is true unless you are running a vpn between site A and site B, which is not the case. This is a security feature.


If you have a host/server connected behind the inside interface of ASA A, you should be able to reach site C or D if the connectivity is established.



Mohammed al Baqari
VIP Advisor

Unlike routers/switches, as Ajay mentioned, you can't source ping from ASA
inside interface.

Right now I have a basic router attached directly to the leased line interface. I can ping from inside the asa over the leased line interface to the SiteA.


My explanation was a little confusing. Since SiteA and SiteB are connected via the leased line, I meant to say that SiteB can be pinged, but I cannot ping from SiteB to SiteA. I also cannot seem to pass traffic from SiteB to SiteA. I can, however initiate a request from SiteA and get to SiteB. 


Sites C and D are not important yet, I need to get A and B working, then I can work on the others.


I guess my question would be am I going about this the correct way? Should I be putting other hardware in place instead of just an ASA? Should the MPLS circuit be inside my network and not directly attached to the ASA?




Can you please attach a rough topology so that we can understand the topology better.




Here is is quick and dirty explanation of the network. MPLS lines are proposed and not working. Everything else is. MPLS-ISSUES2.jpg



The way I have in my organization is that MPLS is terminating on a dedicated router and route pointing to to the core switch. The core switch default gateway points to ASA and specific routes point to MPLS router for any traffic that needs to go over the MPLS links. I am not sure if you have a mesh topology.


If this is supposed to be a full mesh topology, better to have a router for this purpose terminating the MPLS links.


In your case, if you need help, please provide the complete config for all the device from site A and site B and the source and destination ip addresses. We need to troubleshoot this hop by hop.




This is not a true mesh topology. 

At this point I don't mind putting a router behind the ASA and handling the routing there. I was reading an article that appears to be appropriate:


I was looking at the article titled "TCP State bypass on a Cisco ASA" This seems to apply to my situation.


The remote networks are flat. No layer-3 and there is no way to put in a layer 3 network (budgets!).


If anyone has an opinion on this, please share it.

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad