Showing results for 
Search instead for 
Did you mean: 

Routing 3 inside networks through 3560 & ASA 5510


I have 3 inside networks that I would like to route between and also allow for outside access to the internet.,,

All 3 are defined on a 3560 that has a default route which points to my ASA 5510 inside interface However when I try to ssh from a host on the to I get this error:

Mar 03 2008 13:11:08: %ASA-4-305006: portmap translation creation failed for tcp src inside: dst inside:

and if I try to ssh from the 98 net to the 100 I get:

Mar 03 2008 13:11:47: %ASA-4-106023: Deny tcp src inside: dst inside: by access-group "inside-list-in"

I think I missing two things but I am unsure what they are.

12 Replies 12



I belive your problem aside from allowing the traffic needed in your inside ACL is with routing packets back from the interface they arrived.

It's pretty confusing but take a look at this link and you will probably be able to work it out.


Thanks for the information.. I did correct my ACL's which got rid of the deny's and I did add the corresponding statements to allow the hairpinning, however now a connection does not initiate and I cannot see any messages in the logs so I am not how I can see what is happening..

you have a 3560, why not configure ip routing on that and configure logical vlan interfaces on it? or are you applying acl's between subnets?

Actually this is exactly what I am doing... I have 3 different subnets on the 3560,,, However there is also a network where the inside interface on the ASA is and some hosts reside. So I would like hosts in for example to be able to access the network and access the internet.

on your switch, have you enter the command "ip routing"?

also, on your switch, is there a default route (NOT default gateway) that points to the inside interface IP of the firewall?

So it sounds like you should have a total of four vlan interfaces right? with IP's of: 192.168.97.x, 192.168.98.x, 192.168.99.x, and 192.168.100.x.

The default gateway's on each host in each subnet should then point to the IP address of their respective vlan interfaces on the switch.

the "ip routing" command is in the configuration.

ip route is also in the configuration

I have 3 vlans and ge0/1 is configured as a layer 3 port, not a switchport with an IP of

On the ASA I have a route line:

route inside 1

add the following to your ASA:

route inside 1

route inside 1

alternatively, you could enable routing on each device:

on the switch -

router rip

version 2

no auto-summary





on the asa:

router rip

version 2

no auto-summary


Just to clarify, at this point and time I am only trying to get the network to route to or the internet. So I can see your point about needing those routes for the other VLANS... However my issue still appears to be that host cannot get name resolution from a host and thus cannot get out to the web. If I try to ssh to the host it also times out. However in the ASA logs I do not see any deny's...

the switchport you made a layer 3 interface, undo. make it a layer 2 interface. assign that interface to the same vlan that host is in. then create a logical vlan interface and assign it IP address

You should still have 4 vlans with each of the following subnets:





Each vlan will have a logical interface in the Ip range stated above, and each logical interface should be the default gateway for each of those subnets. The firewall should be plugged into whatever vlan you've assigned the 192.168.100.x range to.


or...pretend you're starting from scratch...that might make more sense.


create 3 vlans (in addition to VLan 1):

vlan 97

vlan 98

vlan 99

interface vlan 1

ip address

interface vlan 97

ip address

interface vlan 98

ip address

interface vlan 99

ip address

ip routing

ip route

assign switchports to respective vlans. plug the firewall into vlan 1.

192.168.x.1 should be the default gateway for hosts on each subnet.

don't forget routing between the asa and each subnet, done through one of my previous posts using either RIP or static routes.

I did try that however no go..

I believe my issue might be that I have version 7.0(6) and I need 7.2 for hairpinning to be supported...

you don't need hairpinning.

all routing would be done on the 3560. the asa only needs to know how to get to each subnet, not route between them.

can you post your configs for the switch and asa?

Actually once you pointed out that the 3560 would be doing all the routing it finally clicked... Things are now working.

Now I just need to allow my my 99,98,97 networks access over our VPN tunnel to another site....

thanks for the help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers