cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
261
Views
0
Helpful
2
Replies

ASA5512X DMZ traffic default route

abclabsmo
Level 1
Level 1

I am working on moving from our ASA5510 to an ASA5512 and am rebuilding the config from scratch as a clean up.  When I put the 5512 into prod we have a problem with our Sophos Proxy appliance in the DMZ.  It can not get out to the internet however users can get to it just fine from the inside and outside.  It has one foot in the DMZ (Nat'd) and one foot on the trusted network.

 

If I look at the ASA logs I see the traffic from the Sophos DMZ link going to outside IPs but it is hitting the Inside interface not the outside interface!!!  The default route on the ASA points to the outside and everything else seems to work just fine!  If I look at the default route on the Sophos appliance it shows as pointing to the IP address of the DMZ interface on the ASA.

Put back the 5510 and everything works just fine...

Anyone ever seen this before? What in the world am I missing?

I

 

 

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

The picture you attached show traffic from DMZ host 192.168.1.150 going to several hosts whose route is via the INSIDE interface according to the ASA's route lookup.

Are the routing commands on the 5512 the same as those on the 5510?

 

Hi.

 

Finally getting back to this after getting other projects under control and am going to try and get this in prod this weekend.

Yes.  The routing is identical.

I opened a case with TAC this am hoping they can see the problem.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco