Routing and ASA

Unanswered Question
May 17th, 2007


I would like to use an ASA (7.2) as the DG for clients on a single subnet site. The site does not have a router that i have access to. However, the site also has dedicated circuit connected to the LAN allowing access to several remote sites. However, i have no control of the router.

I would like to add routes on the inside interface of the ASA directing selected traffic to the router.

However, despite setting same-security-traffic inter-interface. I still have problems. Despite explicitly allowing the traffic i see the following syslog messages.

106015|LAN_IP|REMOTE_IP|Deny TCP (no connection) from LAN_IP/3422 to REMOTE_IP/80 flags RST on interface Inside

My questions are -

1) Is what im trying to do possible

2) If yes, what do i need to do to enable it



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
keith_chilek Fri, 05/18/2007 - 13:14

I have been told this is very difficult to do. Supposedly, you can make the ASA route "in and out" of the same interface but it's difficult and not recommended. It's much better to have a router or layer-3 switch internally and have the clients use that as their DG.

acomiskey Fri, 05/18/2007 - 16:20

It is intra-interface, not inter-interface to allow traffic in and out of same interface. Inter is for traffic between interfaces with same security level.


This Discussion