Help with VLAN, Layer 3 switch, DMZ routing madness.

Unanswered Question
May 6th, 2009

I have an ASA 5510 with 3 interfaces (inside, outside, DMZ)

Internal routing is done by a layer 3 switch

We utilize VLANs (5 = guest, 6 = staff, 29 = DMZ)

ASA Interfaces are as follows:




Host A ( wants to ping Host B ( in the DMZ.

The layer 3 switch has a static route of (inside ASA interface), but no sub-interface for vlan 29.

Host A ( wants to ping Host B ( in the DMZ.

Since the layer 3 switch has no route to, doesn't it forward it to the interface (inside interface on ASA) based on the default routing of At this point (inside Interface) knows about the network (DMZ) and should forward it based on ACEs correct?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Wed, 05/06/2009 - 06:12

As far as default route in the switch, it should be okay as long as you have a route in the asa that tells it how to get back to the network.

route inside 10.5.8.

How do you have your nat statements on the ASA? You can either use nat exemption or identity nat

nat exemption:

access-list DMZ permit ip

nat (inside) 0 access-list DMZ


Identity nat:

static (inside,dmz) netmask



oneirishpollack Wed, 05/06/2009 - 08:01


Here are the NAT statements:

static (DMZ,outside) netmask

static (inside,DMZ) netmask

Here is the route inside statement:

route inside 1

I CAN ping from the ASA's DMZ interface (, but cannot from the outside ( or inside interface (

I cannot ping the from the access switch or from the layer 3 switch.

Again I do not have a subinterface for VLAN 29 on the layer 3 switch, I was assuming the ASA would do the routing to and from the inside to the outside , but I can see where the VLAN rounting may be the problem. The DMZ interface and the access switch interface are the only ports assigned to VLAN 29. So can I assumed that the layer 2 vlan assignments are killing this?

John Blakley Wed, 05/06/2009 - 08:05

You'll need to add:

static (inside,DMZ) netmask

Let's take things one step at a time :)

Your static mapping is only allowing across into the DMZ untranslated, so the 10.5.x.x subnets are still trying to translate.

What do your nat and global statements look like?

oneirishpollack Wed, 05/06/2009 - 09:51

I tried to substitute my ip addresses with aliases and made this too confusing. Below are my actual VLAN and private local addressing:

Staff subnet (vlan 4)

Guest subnet (vlan 3)

Outside subnet: (vlan 34)

DMZ subnet: (vlan 29)

ASA interfaces:

Inside: (vlan 2)

Outside: (vlan 34)

DMZ: (vlan 29)

host A (vlan 4) pings host B (vlan 29)

Below are the statements from the ASA again:

static (DMZ,outside) netmask

static (inside,DMZ) netmask

static (inside,DMZ) netmask

Sorry for the confusion.

John Blakley Wed, 05/06/2009 - 10:05

You should be able to remove:

static (inside,DMZ) netmask

It's covered in the line below it.

What's the original problem again? You can ping across the dmz from the inside, right? What's not working now?


oneirishpollack Wed, 05/06/2009 - 10:31

I am trying to setup the DMZ for the first time.

I can ping the DMZ interface and a DMZ server from the outside.

I can ping the DMZ server from the DMZ interface.

I cannot ping the DMZ interface or server from the inside.

We utilize intra-vlan routing on our layer 3 switch.

I am thinking the inside routing process goes...

Host A ( pings Host B (

Host determine Host B is not on local network and it forwards it to Default Gateway (

Layer 3 switch checks in it's routing table and determines it does not have a route for (no subinterface setup for vlan 29) so it sends it to default gateway (inside interface on ASA)

ASA checks it's routing table and sees a route to network (DMZ) via (DMZ interface). It forwards route packet to this interface to get passed to server

Is this how the routing process in the this scenario will work?

John Blakley Wed, 05/06/2009 - 10:37

That's the way routing would work. Once it leaves the host into the switch, if the switch can't route it, it will go to it's default gateway. The default route points to the inside ASA, and it will look at it's routing table and forward to the DMZ.

Above you said that you can't ping a server in the DMZ, but in another post you said that you could:

host A (vlan 4) pings host B (vlan 29)

If you try to ping and you get timeouts, make sure that you have inspect icmp under your default inspection policy on the ASA.

It will look something like:

policy inspection_default

class default_inspection

inspect icmp

service-policy inspection_default global

Instead of just pinging, can you get to anything else on that server? Do you run a web server on it? Something else that you can test? Check the policy and see if the inspect is listed and we'll go from there.


oneirishpollack Thu, 05/07/2009 - 07:08

Sorry for the confusion, when I said:

host A (vlan 4) pings host B (vlan 29)

I meant that it tried to ping it, but it is not getting a reply back.

I tested several scenarios and this is what I found: (vlan 29) pings (vlan 29) = no reply (vlan 4) pings (vlan 29) = no reply (vlan 29) pings (vlan 29) = 1 reply....and then "request times out" (vlan 4) pings (vlan 29) = no reply (outside machine) pings (NAT'd IP of server) = replies received


Here is what I see on the firewall log:

%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst

interface_name: IP_address (type dec, code dec)

The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.

oneirishpollack Fri, 05/08/2009 - 07:28

OK, using the ping tool in ASDM. I cannot ping the DMZ interface ( from the Inside interface (

oneirishpollack Fri, 05/08/2009 - 11:46

I attached the diagram.


I included two comments above the layer 3 switch. One shows the subinterface for VLAN 4, and the other is the sh ip route off the layer 3 switch.

John Blakley Fri, 05/08/2009 - 12:02

You show that you have a L3 switch. Is this set up as a L3 or L2 (is ip routing enabled)? Is it a Cisco switch?

My first thought is that if it's L3, then your pings shouldn't get to the ASA. It should go through the switch and routed.

Looking at your routing table, you don't have an svi configured for the subnet. So, what *should* happen is the L3 switch will send it's traffic to the next switch on vlan29. I think what's happening, and others may chime in, is this:

The traffic from is getting to the firewall, and it's sending it back, but because there's no route on the L3 switch to the subnet, the switch is dropping the traffic.

I would try the following:

At minimum, add an svi to support your subnet. (What gateway do you have on that host??)

Then your trunks will carry all the way to the firewall. You should be able to ping the host from the without going to the firewall.


John Blakley Fri, 05/08/2009 - 12:15

I think another thing that *might* be happening is that you have vlan29 on the ASA, but do you have vlan29 on the trunk on both ends of the link? If not, it's going to go out of your native vlan and return on the native vlan. In order to use vlan 29, you're going to have to have vlan29 trunked all the way to the destination.



oneirishpollack Mon, 05/11/2009 - 08:29

John, You are correct in that I do have a L3 (routing enabled) Cisco 3750 that handles my internal routing,and

I do not have a SVI for the 29 VLAN.

I didn't know if creating a SVI for the subnet would create a security issue in that the 29 subnet (DMZ) would then potentially be able to be routed internally seperate from the firewall. I was assuming if I:

1. Created the 29 Vlan on VTP server

2. Created a static route of (Inside interface) on L3 switch

3. Addressed the DMZ interface as

I assumed that since (inside interface, vlan4) and (DMZ interface, vlan 29) were directly connected interfaces on the firewall, that the firewall (based on ACLs) would then route the traffic accordingly. I thought the flow would look like this: (vlan 4) pings (vlan 29) --> --> --> -->

Here again are my ping results: (vlan 29) ping (vlan 29) - replies! (vlan 4) ping (vlan 29) - (vlan 4) ping (vlan 29) - request timed out. (vlan 29) ping (vlan 29) - request timed out.

John Blakley Mon, 05/11/2009 - 08:50

Did you create your svi for vlan 29 on the L3 switch like I stated in a previous post?

Do you have your vlan 29 trunked at the exit point that the ASA is connected to?

I think the problem lies in the fact that once your L3 switch forwards out the frame to the ASA, if you DON'T have vlan 29 allowed on the trunk, the switch will forward it out as it's native vlan.

oneirishpollack Mon, 05/11/2009 - 18:11

The 'DMZ' port on the ASA is connected to a switch port that belongs to vlan 29.

The 'Inside' port on the ASA is connected to a switch port that belongs to vlan 4.

The 'Outside' port on the ASA is connected to a port that belongs to vlan 71.

The host machine ( pinging is connected to a port assigned to vlan 4.

The machine ( being pinged belongs to a port assigned to vlan 29.

The firewall however does see it, as I see this on the firewall syslog:

Here is the succession:

IDS:2004 ICMP echo request from to on interface inside

IDS:2000 ICMP echo reply from to on interface DMZ

Deny inbound icmp src DMZ: dst inside: (type 0, code 0)

So it seems like it is getting dropping at the inside interface.

I can add the SVI, but won't this just skip the firewall inspection all together and route it internally through the L3 switch?

oneirishpollack Mon, 05/11/2009 - 19:54

I disabled the DMZ interface on the ASA ( and added the svi as follows:

interface Vlan29

description DMZ

ip address

no ip redirects

ip pim sparse-dense-mode

I can now ping the machine.


This Discussion