No, the replies aren't showing.

I can ping from the core switch sourced from any VLAN except the CX VLAN.

Does the ASA know to route the replies back via the core switch? If it also has its management address on the same subnet, that could be the issue since it thinks that network is connected.

Try adding a /32 route on the ASA inside interface for both the CX VLAN SVI and the CX Management address.

I previously had a /32 route for the CX interface, however I did add the route for the CX VLAN SVI. Still not able to get out. I ran a packet tracer and got the following output -

packet-tracer input insid icmp 10.0.125.2 0 8 4.2.2.2 det

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9f3b3350, priority=13, domain=capture, deny=false

        hits=236269, user_data=0x7fff9dfbec70, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9f2fe570, priority=1, domain=permit, deny=false

        hits=27398061, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network CX-MANAGEMENT

nat (inside,outside) dynamic interface

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff984e5750, priority=6, domain=nat, deny=false

        hits=207, user_data=0x7fffa1ea9380, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.0.125.0, mask=255.255.255.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9e8fb6e0, priority=0, domain=nat-per-session, deny=true

        hits=418401, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9f307540, priority=0, domain=inspect-ip-options, deny=true

        hits=1321622, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=inside, output_ifc=any

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-cluster-unassigned-pool) NAT unassigned pool in cluster

Well from that last trace, it's reporting an issue with your NAT setup. Can you share the network object and associated NAT configuration?

object network CX-MANAGEMENT

subnet 10.0.125.0 255.255.255.0

object network CX-MANAGEMENT

nat (inside,outside) dynamic interface

Your NAT rule looks very straightforward. Unless there's another NAT rule above it in the firewalls configuration, I'm not convinced the packet-tracer output is legitimately showing what the ASA is doing. After all, your earlier post showed both translate and untranslate hits.

From the ASA inside interface can you ping the CX VLAN SVI and CX IP address (and vice versa)?

Hi,

I can't ping the CX SVI or CX IP address from the inside interface

Could you post a full sanitized configuration of your ASA please.  I am wondering if there is another NAT statement that is messing things up.

Hi,

Config attached to original post

Thank you very much for your help on this

You're welcome. Sometimes it's the smallest things.

I was working a setup this weekend and banging on the keyboard most of the night and unable to solve one problem at the end of a string of tasks. I looked at it again after getting a good night's sleep and found the customer had misconfigured the subnet mask on one interface. Sometimes that "sort of" works - you can pass traffic and reach remote devices but EIGRP, even though it would form an adjacency, would not update routes. I changed the /16 mask to /24 and - voila - everything worked as expected.

Lol. Yeah, it's always the small things that come back and bite.

Once again, thanks for all the help you have given.