06-20-2013 09:05 AM - edited 03-07-2019 01:59 PM
Hi All,
I have a problem with 2 ASA5505 that have, in the middle, 1 3750.
The scenario is:
ASA5505-A, network inside 192.168.1.0/24 connected to Giga1/0/XX of 3750 that was on VLAN350.
ASA5505-B, network inside 192.168.2.0/24 connected to Giga1/0/XY of 3750 that was on VLAN101.
Giga1/0/XX belong to vlan101, int vlan 101 on 3750 has ip address 192.168.2.2.
Giga1/0/XY belong to vlan350, int vlan 350 on 3750 has ip address 192.168.1.11.
ASA5505-A has this static route:
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.1.11, inside
ASA5505-B has this static route:
S 192.168.1.0 255.255.255.0 [1/0] via 192.168.2.2, inside
Both ASA5505 have
same-security-traffic permit inter-interface same-security-traffic permit intra-interface
in running-configuration and nat exempt. With packet-tracer all seems to work fine, but if I try to ping from 192.168.2.x 192.168.1.y I see this in my log:
Jun 20 2013 18:02:58: %ASA-4-313004: Denied ICMP type=0, from laddr 192.168.1.y on interface inside to 192.168.2.x: no matching session
I have tried to use also tcp-state-bypass without any effect.
If I put static route directly on servers all works fine.
Any idea/suggestions?
Thanks
06-20-2013 11:48 AM
The ip addreses on your switch dont match up to the vlan interfaces???
Sent from Cisco Technical Support Android App
06-20-2013 02:33 PM
You need to fix the IP's like mentioned above on your switch as they don't match with what you got on the firewall I think you have your ports swapped by mistake.
Also once you fix that you might have to add "icmp permit any inside" command.
06-21-2013 02:57 AM
You are right, I commit a mistake when I wrote my first post.
Now the scenario is correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide