Hello Jouni,

     Sorry I wrote this request without details. Here is my configuration. My Firewall ASA has an address of 10.1.1.1/16. My internal LAN is 10.1.0.0/16. I have a gateway on the same net of 10.1.1.250/16 that is connected to the same switch as my Firewall. This gateway 10.1.1.250/16 is connected to a switch with VLAN configuration that hosts a 10.6.1.0/24 network with gateway 10.6.1.1/24. I have placed a route on the firewall that routes 10.6.1.0/24 via 10.1.1.250/16. I can ping and receive a reply to my Mitel VOIP system at 10.6.1.250/24 but I cannot pull up it's website on my PC that also sits on the 10.1.0.0/16. I had it working with my SonicWall that we have finally retired.

     That being said do I need an ACL to allow traffic back from the 10.6.1.0/24 to properly talk to the 10.1.0.0/16 on the firewall. Or do I need a route.

     As always appreciate your help.

     Carlos

Assuming the ASA is the default gateway for your PC, you need to add the line in your ASA:

same-security-traffic intra-interface

Reference.

I have this configuration in. The issue is I have a Asymmetric routing problem. I've been looking at articles. I have placed these configurations in and I am still not able to connect PC 2 to server. What am I missing?

# route 10.6.1.0 255.255.255.0 /24

access-list tcp_bypass_VoIP_Net extended permit ip 10.1.0.0 255.255.0.0 10.6.1.0 255.255.255.0

class-map class_tcp_bypass_VoiP_Net

    match access-list tcp_bypass_VoiP_Net

policy-map tcp_bypass_policy

    class class_tcp_bypass_VoiP_Net

       set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside

I don't believe your service-policy is necessary.

Have you applied the same-security line I suggested above?

The other option would be a host route in the server for the 10.6.1.0/24 network. Tell it to use the ProCurve interface of 10.1.1.250.

Hello Marvin,

     Yes the same-security line has been in place for a while. I have the route in place for the 10.1.0.0/16 network to use the 10.6.1.250 gateway on the ASA. It works fine. The issue is when I try to access anything on th 10.1.0.0/16 network from PC 2 I cannot get anywhere. I've had Cisco technical support for help but we are all hitting a wall on this. There is something with the ASA and how it handles the SYN with Asymmetrical routing that I am having challenges. Any suggestions would be appreciated.

Thank you

Carlos

Hmm yes I could see that might well be a problem.

Since the ProCurve sees the 10.1.0.0/16 as connected it will normally just arp for hosts when it has a packet to forward onwards to a destination in that network. You could put a static route in the ProCurve for your servers's host addresses to go via the ASA inside interface making any /32 static be preferred over the /16 connected. That would make your routing symmetric.