cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2789
Views
0
Helpful
14
Replies

Same VLAN Traffic Blocking

shinumathew123
Level 1
Level 1

Hi Friends,

I have Cisco ASA 5545-x firewall.I have configured all the VLAN's in firewall.When We are trying connect the same VLAN server(any tcp or udp ports )the traffic coming to firewall and getting block.I have already enabled same-security infra-interface

 

Please help me to resolve this issue.

 

Regards,

Mathew

 

14 Replies 14

Rishabh Seth
Level 7
Level 7

Hi,

 

Can you explain the network setup and provide details about the required traffic flow in your network.

Also let us know if the machine from where you are trying to connect to the server are in the same vlan or different?

 

Share your findings,

 

Thanks,

R.Seth

HI Seth,

Yes .The servers are in same vlan.

1. Created all the vlans in the firewall

2. Created sub-interfaces

3. Servers GW is sub interface ip address

Server A(10.10.10.100) trying to connect Server B(10.10.10.101)

Attached the diagram for better understanding.I have already enabled same-security infra-interface.

Regards,

Mathew

 

Hi Mathew,

 

I understand that the servers are in same VLAN and you have permitted intra-interface traffic.

But the client are also in the same vlan?

>> If you are trying to test connectivity between serverA and serverB then, the ASA will not come into picture as the two servers are in the same subnet so they will communicate directly.

>> If the client is behind a different interface then you should check ACLs and permit traffic.

>> If ASA is doing inter-vlan routing (like router on stick) then enable inter-interface traffic as well.

 

Let us know if this helps.

 

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

 

Hi Seth,

Yes.Right. Both are same VLAN.The traffic wont come to the firewall.Its very weird .I am seeing the traffic in the firewall.Is it some thing related to hair pinning. Need to add some NAT here.

I just confused.

 

Regards,

Matt

As you mentioned "hair-pinning" so can you explain the required traffic flow in your setup.

Explain with example so that we can easily understand the requirement and help you in implementing it.

 

Thanks,

R.Seth

One more thing .As you said.If both are in same network .Traffic wont go to firewall.I have checked the ARP table in the switch .Their are no ARP entiry.All the ARP entry is in firewall only.

See this video for Hair pinning

https://www.youtube.com/watch?v=wjEfdfI0BqY

 

Regards,

Matt

Hi Matt,

 

Are you trying to access the server on its public IP or on its private IP?

If its the public IP then the ASA will be processing the traffic otherwise the client will directly contact the server on its private IP.

 

In case you are using public IP then check your NAT rule on ASA.

Also, you should check arp table on the end clients and not the switch. On switch you can check the mac address table.

 

Thanks,

R.Seth

Hi Seth,

I have already explained the traffic flow. Both are in same network servers.I am trying to access internally and both connected in same switch.No other client.

 

Regards,

Matt

Hi Matt,

 

If you are trying to access server A from server B on its internal IP then you should be able to reach the application without passing trough ASA.

 

>> Try to check reachability by pinging devices.

>> If you have reachability then check if there is any firewall/ setting that might be blocking the traffic.

>> Also check the arp on the client and server and confirm you see correct MAC-IP mapping.

 

Hope it helps.

 

Thanks,

R.Seth 

Yes.The funny part is the first ping got filtered  and reaching that packets  to firewall.Rest of the packets are passing and if I allow the ports in the firewall it works.But Why the packets are coming to firewall.thats my concern.

Regards,

Matt

 

 

Do you have any static NAT configured on ASA for the internal subnet IP?

If yes then try to edit the NAT and apply no-proxy-arp in that NAT rule and check if it helps.

 

Thanks,

R.Seth

No.I do not have any static NAT configured

Are you using IP address / domain to access the web server?

If it is domain name, check the DNS resolution, is it public IP or private IP.

 

As you have described the setup, the traffic should not come to ASA unless you are using Public IP.

Thanks,

R.Seth

No .Its application servers. There is no public ip address in picture.
 

Review Cisco Networking for a $25 gift card