ASA 5520 Static Routing

ChiCityCisco · ‎02-19-2013

I have 2 ASA's located in different offices. We are switching to a new fiber connection with an MPLS setup. I have begin testing, but I'm stuck trying to create a static route between the ASA's via the mpls connection.

Asa Corp

IP(inside): 192.168.1.254

MPLS IP interface : 192.168.1.252

static route command : route inside 192.168.2.0 255.255.255.0 192.168.1.252

ASA Colo

IP(inside): 192.168.2.254

MPLS IP interface: 192.168.2.252

static route command: route inside 192.168.1.0 255.255.255.0 192.168.2.252

when i traceroute or ping to one asa to the other, i get good replies. When I try the same command to servers/devices on the inside of asa to another the packets drop with an error that there is no matching session. I can packet trace from inside IP of one interface to the IP of a device to the other side using the ASA and get good checks throughout.

anything that I'm missing with regard to the firewall/nat rules that i should look at. or is the ASA not capable of routing packets this way. Attached is a crappy drawing of the layout.

jawad-mukhtar · ‎02-19-2013

Please Use Debug to Trace Problem.

If u get any message do share.

Jawad

johnnylingo · ‎02-19-2013

I can't pull up your diagram, but "No matching connection" would indicate an assymetric routing issue. In other words, the ASA is receiving return traffic, but not the original flow.

What is the default gateway for the clients? You'll probably need to either set the default gateway as the MPLS router, or bring up a separate interface on the ASA to do the MPLS routing and ensure the flow is symmetric. It all depends on if you want the ASA to process traffic that goes over the MPLS cloud.