Re:Routing problem with ASA5505

crash0verride · ‎06-20-2013

Hi All,

I have a problem with 2 ASA5505 that have, in the middle, 1 3750.

The scenario is:

ASA5505-A, network inside 192.168.1.0/24 connected to Giga1/0/XX of 3750 that was on VLAN350.

ASA5505-B, network inside 192.168.2.0/24 connected to Giga1/0/XY of 3750 that was on VLAN101.

Giga1/0/XX belong to vlan101, int vlan 101 on 3750 has ip address 192.168.2.2.

Giga1/0/XY belong to vlan350, int vlan 350 on 3750 has ip address 192.168.1.11.

ASA5505-A has this static route:

S 192.168.2.0 255.255.255.0 [1/0] via 192.168.1.11, inside

ASA5505-B has this static route:

S 192.168.1.0 255.255.255.0 [1/0] via 192.168.2.2, inside

Both ASA5505 have

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

in running-configuration and nat exempt. With packet-tracer all seems to work fine, but if I try to ping from 192.168.2.x 192.168.1.y I see this in my log:

Jun 20 2013 18:02:58: %ASA-4-313004: Denied ICMP type=0, from laddr 192.168.1.y on interface inside to 192.168.2.x: no matching session

I have tried to use also tcp-state-bypass without any effect.

If I put static route directly on servers all works fine.

Any idea/suggestions?

Thanks

Simon Brooks · ‎06-20-2013

The ip addreses on your switch dont match up to the vlan interfaces???

Sent from Cisco Technical Support Android App

ALIAOF_ · ‎06-20-2013

You need to fix the IP's like mentioned above on your switch as they don't match with what you got on the firewall I think you have your ports swapped by mistake.

Also once you fix that you might have to add "icmp permit any inside" command.

crash0verride · ‎06-21-2013

You are right, I commit a mistake when I wrote my first post.

Now the scenario is correct.