1) Does vlan 99 have a L3 SVI on the MSFC.

- No. Vlan 99 is defined as FWSM DMZ interface. The FWSM outside is connected to the MSFC.

2) Have you allocated vlan 99 to the FWSM

- Yes

3) What is the next-hop on vlan 99 for the ASA

- It is the directly connected segment i.e. ASA and CSC-SSM management IP/port is directly connected to vlan 99 (same subnet) on the Cat 6500. So it is bypassing the MSFC, FWSM for the return traffic orginating from host in Vlan 99.

Thanks

Thanks for that.

"Please advise if bypassing MSFC / FWSM is causing ping failure the return traffic."

Based on your answers no bypassing the MSFC/FWSM should not be a problem as it is simply a L2 communication and so the FWSM doesn't come into it - or shouldn't at least.

Can you

1) Ping the ASA from the FWSM

2) Ping the host from the a) the ASA b) the FWSM

Jon

1) Ping the ASA from the FWSM

- Ping is successful.

2) Ping the host from the

a) the ASA - Ping is successful

b) the FWSM - Ping is successful

Strange....but ping from host to inside interface of ASA is not working. Could it be that ping from ASA to host is successful because it is taking a different path i.e. it has directly connected interface terminating on switch/vlan99 where the host lies.

However, ping from host to ASA goes through the FWSM interface, then MSFC SVI, then inside ASA and 'returns' through the ASA management port which is directly connected to the switch/vlan99. Could it be a speed issue.

Are the ASA management ports 100 or 1000Mbps.

Please assist.

Thanks.

"However, ping from host to ASA goes through the FWSM interface, then MSFC SVI, then inside ASA and 'returns' through the ASA management port which is directly connected to the switch/vlan99"

unlikely as the host is also in vlan 99 so it's path should never go via the FWSM interface unless i have misunderstood.

Can you

1) ping FWSM vlan 99 interface from host (sorry i forgot that one)

2) check subnet mask are the same on host and ASA inside interface

You may need to do a packet capture on the ASA.

Jon

1) Ping is successful.

2) Subnet mask is correct.

I have done the packet capture. The ping from host in vlan 99 shows a request sent to ASA Inside. ASA Inside also receives the icmp request. However, there is no reply packet seen at all.

I believe on return it identifies the destination network to be the connected network and hence drops the packet either due to assymetric routing issue or that ASA cannot forward traffic on the directly connected management interface from the other interfaces such as inside.

Once again the two way route is

vlan99 (default gateway for hosts is FWSM) -> FWSM -> MSFC -> ASA with AIP -> vlan99

And ASAs management interfaces are directly connected to vlan99

I have also noticed that I am not able to ping the AIP-SSM management IP from the ASA. Is this normal ?

IPs: - ASA Inside : 10.1.1.1/24

ASA Management IP: 10.1.2.1/24

ASA AIP-SSM Management IP: 10.1.2.2/24

Management Vlan : 10.1.2.0/24

Please advise where do I go from here. I am kind of stuck. My main objective is that hosts on vlan 99 should be able to go out on the internet. But because of the directly connected management segments on ASA I am experiencing all these problems.

Please assist.

Thanks.

Ahh okay, i thought your inside interface was the one on vlan 99. I can see the problem now. Either

1) Configure the management and AIM-SSM to be on a different vlan than vlan 99

OR

2) NAT the host IP address from vlan 99 to the outside interface address on the FWSM. Then the ASA will return the traffic back through it's inside interface to the MSFC.

Is there a reason why you need the management interface/AIM-SSM in the same vlan as the hosts ie. vlan 99 ?

Jon

1) I believe AIP-SSM itself does not have any IP. It has the management IP only. The communication between AIP-SSM and ASA occurs through the backplane. Please correct me if I am wrong.

I intend to use the management vlan for following purpose.

- Remote management

- Run SNMP protocol for monitoring of all devices via CS-MARS etc.

- Configuration management via CiscoWorks/CSM.

The hosts in vlan99 are nothing other than

- Perimeter ASA (1) Management interface

- CSC-SSM (1) Management interface

- Perimeter ASA (2) Management interface

- CSC-SSM (2) Management interface

- Inside ASA (1) Management interface

- AIP-SSM (1) Management interface

- Inside ASA (2) Management interface

- AIP-SSM (2) Management interface

- IDSM (1) Management interface

- IDSM (2) Management interface

- NAM (1) Management interface

- NAM (2) Management interface

etc..

Please advise whether the given management vlan design is as per the known good practices.

Thanks.

To add to the above,

ASA and AIP-SSM Management IP are in the same vlan and other than the ASA inside.

Thanks.

Yes, the devices need updates from internet such as IDS signatures and anti-x engine updates.

I will be going by option 2.

Thanks.