Hi,If i understand the issue

itops · ‎07-27-2015

Hi,

I have a 5525 firewall in routed mode in HA configuration which was initially being used as a router (i.e. hosts gateway was firewall). There were quite a large number of issues with routing and NATTing which I have addresses but there are still some issues that are bothering me.

So the setup at the moment is

HOSTS (VLAN 1,2,100 etc)

| |

Connected to Layer 3 Switch (the uplink port is trunk with required VLANs tagged)

| |

Connected to ASA Ether0/1

| |

ISP Router (ASA E0/0)

So, to clear a few things.. InterVLAN routing is enabled on Layer 3 switch and traffic does not traverse the firewall if I want to talk between hosts connected to VLAN 1, 2 or 100.

On the Layer 3 switch the default gateway is the firewall and all hosts (physical or virtual) connected to Layer 2 have their gateways as the HSRP address of the Layer3 switch.

From a host connected to VLAN 1 (10.0.0.x) or VLAN 2 (10.0.2.x) I am able to talk to outside world (internet) and also internally (Layer3 doing that for me).

From a host on VLAN 100 (10.10.1.10) I am unable to connect to internet but can ping internal hosts on VLAN 1 & 2. The default gateway of this host is the Layer3 switch (10.10.1.1). If I change the default gateway to interface of the firewall (10.10.1.254) I can get to internet !

Obviously the desire is to use Layer3 switch to handle the routing element and ASA which sits behind the switch to do firewalling business.

So here are my list of issues. I would appreciate if these can be addressed one at a time.

1) My main desire is to use the Firewall to restrict access to new production VLANs. Note that there is only 1 uplink to the core switch with all the VLANs tagged. VLAN 1 & 2 are in use at the moment and these won't be changed but going forward all new VLANs should be firewalled. Is this possible looking at the current setup ?

2) So in order to work in the new world I need VLAN100 to work. However, as I stated, when I assign a host (10.10.1.10) in VLAN100 an IP address and gateway address of the Layer3 switch, I am unable to access internet. VLAN100 is a connected network on the firewall and I am not sure why I am getting routing failed error.

looking at logs I get the below from the firewall

FILTER BY SOURCE IP

6 Jul 27 2015 12:14:02 302013 10.10.1.10 54968 188.125.93.39 443 Built outbound TCP connection 173537375 for INTERNET-WAN:188.125.93.39/443 (188.125.93.39/443) to DEFAULT:10.10.1.10/54968 (154.59.137.110/54968)

6 Jul 27 2015 12:12:14 302013 10.10.1.10 54899 23.51.219.86 443 Built outbound TCP connection 173530654 for INTERNET-WAN:23.51.219.86/443 (23.51.219.86/443) to DEFAULT:10.10.1.10/54899 (154.59.137.110/54899)

FILTER BY DESTINATION IP

6 Jul 27 2015 12:15:18 302014 188.125.93.38 443 10.10.1.10 54974 Teardown TCP connection 173539416 for INTERNET-WAN:188.125.93.38/443 to DEFAULT:10.10.1.10/54974 duration 0:00:30 bytes 0 SYN Timeout

6 Jul 27 2015 12:14:26 110003 66.196.66.213 443 10.10.1.10 54972 Routing failed to locate next hop for TCP from INTERNET-WAN:66.196.66.213/443 to DEFAULT:10.10.1.10/54972

6 Jul 27 2015 12:13:50 302014 46.228.47.115 443 10.10.1.10 54950 Teardown TCP connection 173534931 for INTERNET-WAN:46.228.47.115/443 to DEFAULT:10.10.1.10/54950 duration 0:00:30 bytes 0 SYN Timeout

6 Jul 27 2015 12:18:14 302014 216.58.208.238 443 10.10.1.10 54999 Teardown TCP connection 173551080 for INTERNET-WAN:216.58.208.238/443 to DEFAULT:10.10.1.10/54999 duration 0:00:17 bytes 0 No valid adjacency

Host 10.10.1.10 is able to ping Layer3 switch 10.10.1.1 & interface IP address of the firewall 10.10.1.254

3) I have on average in excess of 60,000 connections & an average of 600 NAT XLATES on the firewall. Is this correct ?

4) Possible Scan & SYN Attack rate average at 120, 35

5) quite frequently I get the below messages on Log

Jul 27 2015 12:18:42 162.13.132.32 33024 10.0.2.80 56735 Teardown TCP connection 173554186 for INTERNET-WAN:162.13.132.32/33024 to DEFAULT:10.0.2.80/56735 duration 0:00:00 bytes 3604 TCP Reset-I

7) Getting the below messages often

Jul 27 2015 12:53:50 305006 10.0.0.97 216.58.208.46 regular translation creation failed for icmp src any:10.0.0.97 dst INTERNET-

WAN:216.58.208.46 (type 3, code 3)

4 Jul 27 2015 12:52:42 733100 [ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10; Current average

rate is 57 per second, max configured rate is 5; Cumulative total count is 34249

4 Jul 27 2015 12:52:42 733100 [ Scanning] drop rate-2 exceeded. Current burst rate is 4 per second, max configured rate is 8; Current average

rate is 57 per second, max configured rate is 4; Cumulative total count is 207180

Config below:

ASA Version 9.4(1)

!

hostname **********

domain-name *********

enable password ************** encrypted

names

ip local pool VPN-Pool 192.168.255.1-192.168.255.10 mask 255.255.255.0

!

interface GigabitEthernet0/0

nameif INTERNET-WAN

security-level 0

ip address ***.59.***.*** 255.255.255.248 standby ***.59.***.***

!

interface GigabitEthernet0/1

nameif LAN-WAN

security-level 100

no ip address

!

interface GigabitEthernet0/1.1

vlan 1

nameif DEFAULT

security-level 100

ip address 10.0.0.254 255.255.255.0 standby 10.0.0.253

!

interface GigabitEthernet0/1.2

vlan 2

nameif HARDWARE

security-level 100

ip address 10.0.2.254 255.255.255.0 standby 10.0.2.253

!

interface GigabitEthernet0/1.100

vlan 100

nameif PROD-INF-SRVRS

security-level 100

ip address 10.10.1.254 255.255.255.0

!

interface GigabitEthernet0/1.254

vlan 254

nameif MGMT

security-level 100

ip address 10.0.254.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

description LAN Failover Interface

!

interface GigabitEthernet0/7

description STATE Failover Interface

!

interface Management0/0

management-only

shutdown

nameif management

security-level 100

no ip address

!

banner asdm ***********************************************************************

************

banner asdm **************************************************************************

boot system disk0:/asa941-smp-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup INTERNET-WAN

dns domain-lookup LAN-WAN

dns domain-lookup HARDWARE

dns domain-lookup PROD-INF-SRVRS

dns domain-lookup DEFAULT

dns domain-lookup MGMT

dns server-group DefaultDNS

name-server 10.0.0.2

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object service rdp

service tcp destination eq 3389

object-group icmp-type DM_INLINE_ICMP_1

icmp-object time-exceeded

icmp-object unreachable

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_5 tcp

port-object eq https

port-object eq ssh

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object icmp

protocol-object icmp6

object-group service DM_INLINE_SERVICE_1

service-object object rdp

service-object tcp destination eq www

object-group service DM_INLINE_SERVICE_2

service-object object ETL_SVC_Mananger

service-object tcp destination eq www

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_3

service-object tcp-udp destination eq www

service-object tcp destination eq https

service-object udp destination eq 443

object-group service DM_INLINE_SERVICE_7

service-object icmp

service-object icmp time-exceeded

service-object icmp unreachable

object-group network DM_INLINE_NETWORK_2

network-object object Public1

network-object object Public2

object-group network DM_INLINE_NETWORK_4

network-object object Network_VLAN-1

network-object object Network_VLAN-2

network-object object *******

network-object object ******

object-group network DM_INLINE_NETWORK_5

network-object object Network_VLAN-1

network-object object Network_VLAN-2

network-object object Network_VLAN-254

object-group network DM_INLINE_NETWORK_6

network-object object Network_VLAN-1

network-object object Network_VLAN-2

object-group network DM_INLINE_NETWORK_7

network-object object Network_VLAN-2

object-group network DM_INLINE_NETWORK_8

network-object object Network_VLAN-1

network-object object Network_VLAN-2

object-group network DM_INLINE_NETWORK_9

network-object host ***.105.***.***

network-object host ***.238.***.***

network-object host ***.***.56.184

object-group network DM_INLINE_NETWORK_10

network-object object Network_VLAN-1

network-object object Network_VLAN-2

object-group network DM_INLINE_NETWORK_11

network-object object Public

group-object ******-networks-PUBLIC

object-group network DM_INLINE_NETWORK_13

network-object object Public

group-object Marketing_Public_Group

access-list INTERNET-WAN_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list INTERNET-WAN_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_2 object 10.0.2.49-PRIVATE

access-list INTERNET-WAN_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 object prd-inf-perc-01-PRIVATE object-group DM_INLINE_TCP_5

access-list INTERNET-WAN_access_in extended permit tcp object-group Mail-Public-IP_Group object OWL-PRIVATE eq ldap

access-list INTERNET-WAN_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_13 object test-app-01-PRIVATE

access-list INTERNET-WAN_access_in extended deny ip any any

access-list LAN-WAN_access_in extended permit tcp any any object-group DM_INLINE_TCP_1

access-list LAN-WAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

access-list MGMT_access_in extended permit ip any any

access-list STATEBYPASS extended permit ip 10.0.0.0 255.0.0.0 any inactive

access-list HARDWARE_mpc extended permit ip 10.0.0.0 255.0.0.0 any

access-list INTERNET-WAN_access_out extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_4 any

access-list INTERNET-WAN_access_out remark NTP Protocol

access-list INTERNET-WAN_access_out extended permit udp object-group DM_INLINE_NETWORK_1 any eq ntp

access-list INTERNET-WAN_access_out extended permit tcp object prd-inf-perc-01-PRIVATE any eq smtp

access-list INTERNET-WAN_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_5 any

access-list INTERNET-WAN_access_out remark ICMP for Linux

access-list INTERNET-WAN_access_out extended permit udp object-group DM_INLINE_NETWORK_3 any range 33434 33490

access-list INTERNET-WAN_access_out remark FTP access from Environment

access-list INTERNET-WAN_access_out extended permit tcp object-group Environment-Group any eq ftp

access-list INTERNET-WAN_access_out remark SSH access from environment

access-list INTERNET-WAN_access_out extended permit tcp object-group DM_INLINE_NETWORK_10 any eq ssh

access-list INTERNET-WAN_access_out extended permit udp object-group DM_INLINE_NETWORK_6 any eq domain

access-list INTERNET-WAN_access_out extended permit tcp object-group DM_INLINE_NETWORK_7 object-group public-smtpservers eq smtp

access-list INTERNET-WAN_access_out extended permit tcp any object ***Public_Range eq 33024

access-list INTERNET-WAN_access_out extended permit tcp object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9 eq ftp

access-list INTERNET-WAN_access_out extended permit tcp object OWL-PRIVATE any eq domain

access-list INTERNET-WAN_access_out extended permit udp object Kite-PRIVATE any eq snmp

access-list INTERNET-WAN_access_out extended permit ip 10.10.0.0 255.255.254.0 any

access-list INTERNET-WAN_access_out extended permit udp object-group TerminalServers-Group any eq 3478

access-list INTERNET-WAN_access_out extended permit tcp object Network_VLAN-2 object-group DM_INLINE_NETWORK_12 eq 10000

access-list HARDWARE_mpc_1 extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list DEFAULT_mpc extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

pager lines 24

logging enable

logging console informational

logging monitor informational

logging asdm informational

logging from-address ***

logging recipient-address ***

mtu INTERNET-WAN 1500

mtu LAN-WAN 1500

mtu HARDWARE 1500

mtu management 1500

mtu PROD-INF-SRVRS 1500

mtu BKEND-INF-SRVRS 1500

mtu PROD-OPS-SRVRS 1500

mtu DEV-OPS-SRVRS 1500

mtu CONTDEV-OPS-SRVRS 1500

mtu DEFAULT 1500

mtu MGMT 1500

failover

failover lan unit primary

failover lan interface FAILOVER-LAN GigabitEthernet0/6

failover key *****

failover link STATEFULL-FAILOVER GigabitEthernet0/7

failover interface ip FAILOVER-LAN 10.0.255.17 255.255.255.248 standby 10.0.255.18

failover interface ip STATEFULL-FAILOVER 10.0.255.25 255.255.255.248 standby 10.0.255.26

no monitor-interface LAN-WAN

no monitor-interface management

monitor-interface DEFAULT

icmp unreachable rate-limit 10 burst-size 5

icmp permit any LAN-WAN

icmp permit any HARDWARE

icmp permit any PROD-INF-SRVRS

icmp permit any MGMT

asdm image disk0:/asdm-741.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (INTERNET-WAN,HARDWARE) source static any any destination static prd-inf-perc-01-PUBLIC prd-inf-perc-01-PRIVATE no-proxy-arp

nat (HARDWARE,INTERNET-WAN) source static prd-inf-perc-01-PRIVATE prd-inf-perc-01-PUBLIC no-proxy-arp

nat (INTERNET-WAN,DEFAULT) source static any any destination static OWL-PUBLIC OWL-PRIVATE no-proxy-arp

nat (DEFAULT,INTERNET-WAN) source static OWL-PRIVATE OWL-PUBLIC no-proxy-arp

nat (DEFAULT,INTERNET-WAN) source static uat-inf-www-vip-PRIVATE uat-inf-www-vip-PUBLIC no-proxy-arp

nat (INTERNET-WAN,DEFAULT) source static any any destination static TEST-PUBLIC-***.59.***.*** 10.0.2.49-PRIVATE no-proxy-arp

nat (DEFAULT,INTERNET-WAN) source static 10.0.2.49-PRIVATE TEST-PUBLIC-***.59.***.*** no-proxy-arp inactive

nat (DEFAULT,INTERNET-WAN) source dynamic any interface inactive

nat (HARDWARE,INTERNET-WAN) source dynamic any interface inactive

nat (INTERNET-WAN,DEFAULT) source static any any destination static test-hyb-01-PUBLIC test-hyb-01-PRIVATE no-proxy-arp

nat (DEFAULT,INTERNET-WAN) source static test-hyb-01-PRIVATE test-hyb-01-PUBLIC no-proxy-arp

!

object network OBJ_NAT-Any

nat (any,INTERNET-WAN) dynamic interface

access-group INTERNET-WAN_access_in in interface INTERNET-WAN

access-group INTERNET-WAN_access_out out interface INTERNET-WAN

route INTERNET-WAN 0.0.0.0 0.0.0.0 154.59.137.105 1

route DEFAULT 10.0.0.0 255.255.0.0 10.0.0.245 1

route DEFAULT 10.0.4.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.5.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.8.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.9.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.10.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.11.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.12.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.13.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.14.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.15.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.17.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.18.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.20.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.30.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.40.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.50.0 255.255.254.0 10.0.0.245 1

route DEFAULT 10.0.60.0 255.255.254.0 10.0.0.245 1

route DEFAULT 10.0.100.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.101.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.111.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.150.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.155.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.0.200.0 255.255.248.0 10.0.0.245 1

route DEFAULT 10.0.208.0 255.255.255.0 10.0.0.245 1

route DEFAULT 10.2.0.0 255.255.0.0 10.0.0.245 1

route DEFAULT 10.3.0.0 255.255.0.0 10.0.0.245 1

route DEFAULT 10.4.0.0 255.255.0.0 10.0.0.245 1

route DEFAULT 10.33.52.0 255.255.252.0 10.0.0.245 1

route DEFAULT 192.168.18.0 255.255.255.0 10.0.0.245 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

aaa-server RADIUS-SERVERS protocol radius

aaa-server RADIUS-SERVERS (DEFAULT) host 10.0.0.156

key *****

radius-common-pw *****

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http server idle-timeout 1440

http server session-timeout 1440

http ***.246.***.*** 255.255.255.255 INTERNET-WAN

http 10.0.0.0 255.255.255.0 DEFAULT

http 10.0.0.0 255.255.255.0 MGMT

http 10.0.60.0 255.255.254.0 DEFAULT

snmp-server host DEFAULT 10.0.0.201 community ***** version 2c

snmp-server host DEFAULT 10.0.0.122 community ***** version 2c

snmp-server location *********

snmp-server contact ********

snmp-server community *****

snmp-server enable traps entity fan-failure power-supply cpu-temperature

snmp-server enable traps cpu threshold rising

snmp-server enable traps config

ssh ***.246.***.*** 255.255.255.255 INTERNET-WAN

ssh 10.0.0.0 255.255.255.0 DEFAULT

ssh 10.0.0.0 255.255.255.0 MGMT

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 5

management-access management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 87.124.126.49 source INTERNET-WAN prefer

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

policy-map STATEBYPASS-VLAN1

class STATEBYPASS-VLAN1

set connection advanced-options tcp-state-bypass

policy-map STATEBYPASS-VLAN2

class HARDWARE-class

set connection advanced-options tcp-state-bypass

policy-map STATEBTPASS-VLAN2

class STATEBTPASS-VLAN2

set connection advanced-options tcp-state-bypass

policy-map STATEBYPASS

class STATEBYPASS

set connection advanced-options tcp-state-bypass

policy-map inside-policy

class inside-inspection

inspect icmp

!

service-policy global_policy global

service-policy inside-policy interface LAN-WAN

service-policy STATEBTPASS-VLAN2 interface HARDWARE

service-policy STATEBYPASS-VLAN1 interface DEFAULT

smtp-server 10.0.0.70

prompt hostname context

call-home reporting anonymous

call-home

contact-email-addr ******

mail-server *** priority 1

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly 25

subscribe-to-alert-group configuration periodic monthly 25

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0c49c439373af990a797464ab3a4849b

: end

Vibhor Amrodia · ‎07-28-2015

Hi,

If i understand the issue correctly , You have hosts on VLAN 1 and 2 and 100 for example.

The hosts on 1 and 2 VLAN's have the D/G as the switch. These are not going thru the ASA device for inter VLAN communication.

Now , u configure the D/G as ASA for hosts in Vlan 100 and the internet does not work.

Possibly because of the Proxy ARP issue for the Router and ASA device acting as the Layer 3 Hops in this case.

I would say best design would be to have ASA act as the Layer 3 Hop and act as the device for Inter Vlan routing as well.

Question:- I have on average in excess of 60,000 connections & an average of 600 NAT XLATES on the firewall. Is this correct ? This can only be answered by looking at the "show xlate count" and "show conn count" , "show perfmon" outputs.

3) I have on average in excess of 60,000 connections & an average of 600 NAT XLATES on the firewall. Is this correct ?

4) Possible Scan & SYN Attack rate average at 120, 35 :- This can be ignored as these stats are polled using the threat detection.

5) quite frequently I get the below messages on Log

Jul 27 2015 12:18:42 162.13.132.32 33024 10.0.2.80 56735 Teardown TCP connection 173554186 for INTERNET-WAN:162.13.132.32/33024 to DEFAULT:10.0.2.80/56735 duration 0:00:00 bytes 3604 TCP Reset-I

This would be seen if the RESET is being sent by the device on the Higher Sec Zone.

7) Getting the below messages often

Jul 27 2015 12:53:50 305006 10.0.0.97 216.58.208.46 regular translation creation failed for icmp src any:10.0.0.97 dst INTERNET-

WAN:216.58.208.46 (type 3, code 3)

4 Jul 27 2015 12:52:42 733100 [ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10; Current average

rate is 57 per second, max configured rate is 5; Cumulative total count is 34249

4 Jul 27 2015 12:52:42 733100 [ Scanning] drop rate-2 exceeded. Current burst rate is 4 per second, max configured rate is 8; Current average

rate is 57 per second, max configured rate is 4; Cumulative total count is 207180

These should be normal as these are generated depending on the traffic rate on the ASA device.

Thanks and Regards,

Vibhor Amrodia

itops · ‎07-28-2015

Hi Vibhor,

Correct. Hosts on VLAN 1 & 2 have their gateway as layer3 switch. With this setup everything for the hosts work absolutely fine. I.e. local networks are reachable and internet is accessible.

Now keeping in mind that I have a layer3 switch which is routing traffic internally, when I add a new host on VLAN100 and assign that host a static IP address with gateway IP of the Layer3 switch, I can access all local networks i.e. hosts on VLAN1, 2 etc but I cannot access internet.

If I change the gateway address of host in VLAN100 to the firewall I can connect to the internet but then unable to connect to anything on VLAN1 or 2. The issue with connecting to local subnets can be addressed by possibly enforcing state-by on VLAN 100.

I do not want to use ASA as the gateway as it has a backplane bandwidth of 650MB and some of my applications are very chatty and thus will eat up all the bandwidth.

So question is why a host on VLAN100 is unable to connect to internet. From a routing point of view, this host has a gateway address of the switch. Switch has a default route of the firewall which has a default route of internet router.

Do you see any abnormality in the config ? I have worked with Sonicwalls, Juniper firewalls & checkpoints and not sure if I have used the right syntax.

Help much appreciated.

itops · ‎07-29-2015

Also, I am seeing these messages quite frequently

3 Jul 29 2015 16:25:50 305006 10.0.0.X 216.58.208.46 regular translation creation failed for icmp src any:10.0.0.97 dst INTERNET-WAN:216.58.208.46 (type 3, code 3)

I've done a lookup on the public IP address and all IP addresses in question are registered to Google.

Firewall - Routing Failed to locate & No Valid adjacency