I haven't added to my entwork in a while, so I might be a bit rusty on LAN connectivity troubleshooting.
I have an ASA55xx that will be the L3 core of a new network infrastructure; the VLANs defined on the edge switches will trunk to a DMZ interface on the ASA and subinterfaces will route internally. My old network will connect via a "transit" DMZ interface and the outside interface will be configured as is typical.
My problem is that I only have 1-way connectivity between a ASA subinterface and my old network; a simple diagram is:
Servers -> subinterface (10.10.200.1) -> DMZ interface -> [ASA55xx] -> transit interface ->  -> L3 VLAN (10.10.3.1) -> My workstation
I can ping from the ASA to my workstation at 10.10.3.x, but I cannot ping the subinterface 10.10.200.1 from my workstation.
I suspect that it might be a NAT issue, but configuring NAT bypass did nothing.
Partial ASA config:
ip address xx.xx.xx.xx yy.yy.yy.yy
no ip address
ip address 10.10.162.1 255.255.255.0
ip address 10.10.179.254 255.255.255.0
no ip address
ip address 10.10.200.1 255.255.255.0
ip address 10.10.250.1 255.255.255.240
access-list transit-nat-bypass extended permit ip 10.10.162.0 255.255.255.0 interface transit
global (outside) 1 interface
nat (transit) 0 0.0.0.0 0.0.0.0
nat (inside162) 0 access-list transit-nat-bypass
nat (inside162) 1 10.10.162.0 255.255.255.0
nat (dmz200) 1 10.10.200.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx
route transit 10.10.3.0 255.255.255.0 10.10.250.12 1
route inside179 10.10.179.0 255.255.255.0 10.10.179.1 1
I can provide Cat6500 config lines also, but I don't think that the issue lies there.
Any opinions will be welcomed.
Thanks for your reply;
No, I cannot ping the ASA from the 6506; however, the ASA can ping the 6506 and my workstation beyond. I also noted that the ASA doesn't show up in a 'show cdp neighbors' on the 6506.
Can you check and see if the 6500 has a static route towards the firewall (10.10.200.0/24)?
if not, add it and test again.
You can ping the 6506 from the ASA do you have any managment interface / other onterface between the ASA anf 6506 that may explain why you can ping the 6506.
Can you run the command
sh int ip brief on the ASA to check if the interface are up
The only interface that connects my old network to the new one is the 'transit' interface; the output of the command is:
ASA1# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/2 unassigned YES unset up up
Ethernet0/2.188 10.10.188.1 YES CONFIG up up
Ethernet0/2.200 10.10.200.1 YES manual up up
From the 6506 can you ping 10.10.250.1 ?
Do you have any ACLs ? by default higher security level can access lower security level If I can remeber for ICMP you need to specially allow it or you need to do some inspection on ICMP
If not try testing on L2 (this will avoid any ACL / Security Zones you may have)
Try testing with L2 configure L2 vlan ID 200 on the 6506 and plug in a laptop in a port in vlan 200 using an IP address in 10.10.200.x
I hope this helps.
You should try to ping servers instead as DMZ interface's security level normally doesn't allow pinging.