Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5520 Intra-interface routing


I am kinda new to firewalls and what i'm trying to do is the following:

Old situation:

One subnet for everything, ASA 5520 INSIDE  > 3560 > Several 2950 on 192.168.0.x

New situation:

ASA 5520 INSIDE >>> 3560 192.168.-0.240/2.1/5.1 (IP ROUTING enabled) >TRUNK> 2950 with and a client with


-ASA 5520 > 3560 > Several 2950 (some in different subnets)

-I added subnets 192.168.2.x and .5.x (vlan 2/5, with ip's of .1) to the 3560 which is trunked with a 2950 that runs those 2 subnets.

-Everything in the 192.168.0.x subnet has as default gateway the ASA Inside interface (0.241).

-The new 2950 / Client have as default gateway the 3560 (5.1 and client 2.1).

-3560 has a ip route

-ASA has ip routes to > and > (which is the ip of the 3560).

I can access the internet fine (added PAT) but i cannot ping from a host in the 0.x to the 2.x etc. From the 2.100 client i can only ping the 3560 / ASA / internet but not a single other 0.x adress on the network.

Now someone told me that i cannot route traffic back on the same interface as it goes out on, but i don't think this is true. He suggested i changed all my default gateways to the 3560 IP address and yes this will probably solve it and might be the best solution, but i got curious now.

-I got a inside acl that says from any source to any less secured network, can anyone tell me that if i put this to any any if this will solve my problems?

-Even if this works, should i still consider changing all my default gateways to the 3560 instead of the firewall?

-Or should i consider doing the inter-vlan routing on the firewall instead of the 3560?

I hope it's a bit clear and if not please let me know.



Everyone's tags (3)
Cisco Employee

Re: ASA 5520 Intra-interface routing


> Now someone told me that i cannot route traffic back on the same  interface as it goes out on

Whoever told you that is true in a sense because that is indeed the default behvior of the ASA. In order to allow that, you will need the command:

same-security-interface permit intra-interface

Also, since you have an access-list on the ASA's interface, you will also need to allow traffic from the 0.x to 2.x subnet explicitly.

Now, if we look at the packet flow when a host say 0.10 tries to ping 2.100, this first goes to the ASA, then to the 3560 and 2950 and then finally to 2.100 host. When this host sends the reply, this packet is going to go to the 2950, the 3560 and then to the 0.10 host directly and does not go the ASA. Hence, the ASA sees only one direction of traffic and not both (Asymmetric Routing). Assuming we don't have "inspect icmp", then because of this, we will be able to ping successfully but none of the TCP connections will work fine because of 2 reasons:

1) ASA randomizes sequence numbers.

2) ASA does a statefulness check for every TCP packet.

We need to disable to above two features as well on the ASA for this particular flow. Prior to 8.2, this is done using a static command as below:

static(in,in) netmask norandomseq nailed

failover timeout -1

From 8.2 onwards, we will need to do this using MPF. the two actions we will need are

set connection advanced options tcp-state-bypass; and

set connection random-sequence-number disable

The below 2 links will give you more information about the above 2 commands:

Let me know if this helps. All the best!!

Thanks and Regards,


New Member

Re: ASA 5520 Intra-interface routing

Thanks for the fast reply Prapanch, i will try it out asap and post a status update after it.

CreatePlease to create content