Issue is that the 3560 has an

Pratik Prajapati · ‎03-28-2016

I have 3560 switches acting in L3 mode. There are multiple VLAN interfaces defined on it. The switch has ASA as the default gateway. Clients use default respective VLAN interfaces as their Default Gateway. User VLAN is the inside interface on ASA with ASA being their default gateway. The issue is that clients which have ASA as the default gateway are not able to communicate with VLANs on the switch. ICMP works but no TCP traffic is being passed. For example, I can ping a host 10.10.16.45 from 192.168.1.187 but I cannot access a web page on 10.10.16.45 from 192.168.1.187. Please help.

ASA Config

interface GigabitEthernet0/2
description LAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

route inside 10.10.16.0 255.255.255.0 192.168.1.33 1
route inside 10.10.21.0 255.255.255.0 192.168.1.33 1
route inside 10.50.0.0 255.255.0.0 192.168.1.34 1

3560 Switch Config

interface Vlan16
description Management interface
ip address 10.10.16.2 255.255.255.0
ip helper-address 192.168.1.3
standby ip 10.10.16.1
standby priority 110
standby preempt
!

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Jon Marshall · ‎03-28-2016

Issue is that the 3560 has an interface in 192.168.1.x so it sends return traffic direct to clients ie. the ASA is only seeing one way traffic, from a 192.168.1.x client but return traffic is not seen.

Do you need to firewall the 192.168.1.x clients from the other vlans/IP subnets on the switch ?

If not change clients default gateway to 192.168.1.x IP on switch.

If you do you need to use another interface on your ASA or subinterfaces.

Another alternative is to turn of stateful firewalling for that traffic but if you don't need firewalling easier to just change default gateway.

Jon

Routing Issue between 3560 Switch & ASA5515