cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
272
Views
5
Helpful
3
Replies
crash0verride
Beginner

Routing problem with ASA5505

Hi All,

I have a problem with 2 ASA5505 that have, in the middle, 1 3750.

The scenario is:

ASA5505-A, network inside 192.168.1.0/24 connected to Giga1/0/XX of 3750 that was on VLAN350.

ASA5505-B, network inside 192.168.2.0/24 connected to Giga1/0/XY of 3750 that was on VLAN101.

Giga1/0/XX belong to vlan101, int vlan 101 on 3750 has ip address 192.168.2.2.

Giga1/0/XY belong to vlan350, int vlan 350 on 3750 has ip address 192.168.1.11.

ASA5505-A has this static route:

S    192.168.2.0 255.255.255.0 [1/0] via 192.168.1.11, inside

ASA5505-B has this static route:

S    192.168.1.0 255.255.255.0 [1/0] via 192.168.2.2, inside

Both ASA5505 have

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

in running-configuration and nat exempt. With packet-tracer all seems to work fine, but if I try to ping from 192.168.2.x 192.168.1.y I see this in my log:

Jun 20 2013 18:02:58: %ASA-4-313004: Denied ICMP type=0, from laddr 192.168.1.y on interface inside to 192.168.2.x: no matching session

I have tried to use also tcp-state-bypass without any effect.

If I put static route directly on servers all works fine.

Any idea/suggestions?

Thanks


3 REPLIES 3
Simon Brooks
Beginner

The ip addreses on your switch dont match up to the vlan interfaces???


Sent from Cisco Technical Support Android App

Mohammad Ali
Frequent Contributor

You need to fix the IP's like mentioned above on your switch as they don't match with what you got on the firewall I think you have your ports swapped by mistake.

Also once you fix that you might have to add "icmp permit any inside" command.

You are right, I commit a mistake when I wrote my first post.

Now the scenario is correct.