Re: Unable to route traffic between subinterfaces in ASA 5515X

a.maldonado · ‎07-28-2018

I am new to Firewalls and have been working with them just for 6 months. I am currently trying to configure an ASA 5515X with Firepower (whatever that means).

I want to use this firewall as the default gateway for all LAN traffic. I am experienced with routers and with the routers I just have to create subinterfaces on the physical interface and connect it to the core switch as a trunk and that's it. I have done the same with the firewall but I cannot pass traffic between the subinterfaces, I can ping from a host on any subinterface which all have security-leve 100 to the Router (which has the ISP link) through the Outside interface, which has security-leve 0.

I have reset the firewall to its factory defaults (several times) and I have only configured the subinterfaces with an ip address, security level 100, gave them a meaningful nameif and their corresponding VLAN ID. I also configured a default gateway and the inspect icmp under the global policy and the same-security-traffic permit inter/intra-interface command, but even with this most basic configuration I cannot ping from a host on one subinetrface to another subinterface. From any host I can ping its default gateway, this ensures I have connectivity through the local LAN switch, and as I said before I can ping through the outside interface but not between subinterfaces with the same security leveL.

I appreciate any thoughts or ideas.

A

aaron.hackney · ‎07-28-2018

Hello A,

Good job on the intra/inter interface sysopts. It's usually the first tripping stone.

I would issue a packer-tracer with your host ips and the detailed keyword and see how the firewall is treating your packet.

I know one thing that might stop this, depending on your code version, could be a missing NAT exemption. This is more of a problem in 8.x code but I have seen it. Packet-tracer will tell you if that is the case.

Something like:

packet-tracer input dmz icmp 8 0 192.168.1.14 10.0.0.16 detailed

If the reason doesn't immediately jump out at you, feel free to post it here and we can take a look also.

-A

a.maldonado · ‎07-29-2018

Hi Aaron,

Thank you for your reply.

I have already tried using packet tracer and it tells me there is no route
to the host but if I tried manually adding it it tells me the network is
connected and does not add it. By all means I will try again tomorrow and
post the messages. I will also post the running config which is very
simple, only the IP address config of the subinterfaces, the inspect icmp,
the default gateway and the same-security-permit inter/intra interfaces
command, and that's it.
I do not want to configure any routing protocol because that is what I am
trying to move from.

The NAT exemption statement is something I have not tried or done but have
a look at my config tomorrow and please advise if that is the reason.

Thank you.

Rahul Govindan · ‎07-28-2018

Share a sanitized version of your config if possible.

You have to enable the "same-security-traffic permit inter-interface" feature if you want to pass traffic between 2 different interfaces with the same security level. This is not enabled by default.

Another option is to reduce the security level of 1 interface to something less than 100.

a.maldonado · ‎07-29-2018

Thank you for your reply Rahul,

Yes! I have applied that command already and also the intra-interface but
it has made no difference.

THe subinterfaces have all security level 100 because they are the inside
LAN, and I cannot route between them.

I will post a copy of the config with pleasure tomorrow when I am in the
office.

Francesco Molino · ‎07-28-2018

Hi

Let's take an example: you have vlan10 and vlan20 named interfaces. Host 1.1.1.1 is on vlan 10 and host 2.2.2.2 is on vlan 20.
Based on this assumption run the below command (change ip with yours)
Packet-tracer inpu vlan10 icmp 1.1.1.1 8 0 2.2.2.2 detai

Also please share your config (remove any password and public ips)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

a.maldonado · ‎07-29-2018

Thank you Francesco for your email.

I will run that command and post the config tomorrow when I am in the
office, I just want to let you know that I have already used packet-tracer
using ASDM to send an icmp from a laptop in one of the subinterfaces to the
IP address of another subinterface of the firewall. The result is...….no
route to host

Fine! , then if I try to add a static route in CLI it comes back saying the
network is already connected (or something like that).

By all means I will try your suggestion again and post the messages I get
together with the config tomorrow.

Thank you.

a.maldonado · ‎08-01-2018

Thank you all who replied to my post.

After spending two more days trying to figure this out, it turned out that I cannot ping the firewall address from another subinterface basically. I can only ping from host to host between subinterfaces.

When I initally pinged from host to host I had a number of ACLs and nat statements taht may have prevented me from doing this.

After reseting the firewall one more time to its default values I only configured it with the following:

No shut on the physical interface (and nothing else)
Configured the subinterfaces with IP, nameif and their corresponding VLAN ID
Inspect icmp in the global policy
and the commands same-security-traffic permit inter/intra-interface
Connected it to the switch as a trunk
and enabled two hosts behind to different subinterfaces.
This also worked from a host on a subinetrface to a host on the DMZ, which is a physical interface.

Once again thank you but the problem is now resolved.

Richard Burts · ‎08-01-2018

Thanks for posting back to the forum to let us know that the problem is resolved and for sharing what you did that provided the solution. We are glad to try to provide solutions to problems presented in the forum. But we are especially glad when the person who presented the problem is able to find their own solution. +5 to you for achieving that.

HTH

Rick

HTH

Rick