Asymmetric routing through the same ASA FW

mikepro · ‎07-08-2021

Hi,

I'm trying to achieve asymmetric routing through the same ASA FW.
I have 3 interfaces on the FW, 2 internals and 1 external.
I want the traffic from inside to be able to go outside and come back but NOT go back through the internal interface it came from, instead I want it to go back through the OTHER internal interface (that has routing to the source IP/traffic initiator)
Also, I don't want the traffic from inside to be able to go straight through the other internal interface.

I thought using the same security level on both internal interfaces, the "same-security-traffic permit inter-interface" setting + having routing back to the source IP/traffic initiator ONLY through the OTHER internal interface would do the job but sadly it doesn't...
The traffic tries to go back through the internal interface it came from even without routing to support it...

FYI, I have no ACL whatsoever applied to any of the interfaces.

KR

balaji.bandi · ‎07-08-2021

By nature of the FW, by default it will not allowed spoof connection where the orginated not from same interface.

look at the belw exmaple : if you looking to allow asymetric routing :

https://matthewjwhite.co.uk/2012/02/13/asymmetric-routing-with-cisco-asa-firewalls/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mikepro · ‎07-08-2021

Thanks Balaji!

I'll have a look.

MHM Cisco World · ‎07-08-2021

Asymmetric traffic is issue we don't want it in FW, why you want to make return traffic to other IN?
can you more explain ?