Search this Blog

Wednesday, July 28, 2010

ASA5505 Routing Issue

We have recently added a layer2 leaf to my network configuring ASA's at each of my two locations. the remote site config is working fine but we have having major issues with my ASA5505. We use a tracked route to treat data going from my primary site to the remote site but the link keeps dropping.

Please see below some of our config.

interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.147.148.134 255.255.255.252
!
interface Vlan3
nameif digiwebl2
security-level 90
ip address 192.168.160.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

access-list L2_access_in extended permit icmp 192.168.160.0 255.255.255.0 192.168.160.0 255.255.255.0
access-list L2_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list L2_access_in extended permit icmp 192.168.20.0 255.255.255.0 192.168.16.0
255.255.255.0

access-group outside_access_in in interface outside
access-group L2_access_in in interface digiwebl2
route digiwebl2 192.168.20.0 255.255.255.0 192.168.160.254 255 track 1
route inside 172.31.60.0 255.255.255.0 192.168.16.254 1
route outside 0.0.0.0 0.0.0.0 83.147.148.133 1
route outside 192.168.20.0 255.255.255.0 83.147.148.133 254

If we plug into ether0/4 I cannot ping back to the 192.168.16.10 interface which leads me to think that there is a bug somewhere on the applicance.We have just had the device upgraded to version 7.2(5).

Tips:

If you plug into Eth0/4 then you will be on Vlan 3 which is the 192.168.160.x subnet. While on this subnet, you will only be able to ping the interface facing you, the Vlan3 interface at 192.168.160.10. This is by design and summarized here:



Note: For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.

Once the ping issue from the interface back to the Firewall interface was resolved there was still little or no utilization of the layer2 pipe. The reason for this was that all users were working from previously learned paths which in this case was the VPN connection. this was identified through the

"sh conn address 192.168.16.57" - Our IP address. "sh conn" showed that all other users were using VPN also.

We issued a "clear conn all" and this dropped the ASA connection momentarily but it enforced the tracked route entry in the firewall and now over 90% of my traffic is using the Layer2.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */