Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing on Cisco ASA 5520

I have a network that is connected via a VLAN configuration 10.x.x.x/24 that has a gateway of 10.x.x.x/16. I put a route on the firewall and I can ping the /24 network with no problem but I believe I need an ACL on the firewall to allow traffic from 10.x.x.x/24 to come back to the internal 10.x.x.x/16 network via the firewall? The gateway and the firewall share the same network subnet. Could some verify as I am slated to go to ASA school but am learning the details in the meantime.

My Firewall is running 8.4(5).

Any help would be greatly appreciated.

Thank you Carlos

  • Firewalling
Super Bronze

Routing on Cisco ASA 5520


I am afraid I dont quite understand your setup.

And since we are talking about private range IP addresses/subnets there is really no reason not to tell them here. Especially when we talk about routing. Depending on the network addresses you might have overlapping networks even.

Then again I am not sure how the 2 networks are connected to the ASA? Are they behind different interfaces of the ASA?

Could you perhaps share some configurations?

- Jouni

New Member

Routing on Cisco ASA 5520

Hello Jouni,

     Sorry I wrote this request without details. Here is my configuration. My Firewall ASA has an address of My internal LAN is I have a gateway on the same net of that is connected to the same switch as my Firewall. This gateway is connected to a switch with VLAN configuration that hosts a network with gateway I have placed a route on the firewall that routes via I can ping and receive a reply to my Mitel VOIP system at but I cannot pull up it's website on my PC that also sits on the I had it working with my SonicWall that we have finally retired.

     That being said do I need an ACL to allow traffic back from the to properly talk to the on the firewall. Or do I need a route.

     As always appreciate your help.


Hall of Fame Super Silver

Routing on Cisco ASA 5520

Assuming the ASA is the default gateway for your PC, you need to add the line in your ASA:

same-security-traffic intra-interface


New Member

Routing on Cisco ASA 5520

I have this configuration in. The issue is I have a Asymmetric routing problem. I've been looking at articles. I have placed these configurations in and I am still not able to connect PC 2 to server. What am I missing?

# route /24

access-list tcp_bypass_VoIP_Net extended permit ip

class-map class_tcp_bypass_VoiP_Net

    match access-list tcp_bypass_VoiP_Net

policy-map tcp_bypass_policy

    class class_tcp_bypass_VoiP_Net

       set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside

Hall of Fame Super Silver

Routing on Cisco ASA 5520

I don't believe your service-policy is necessary.

Have you applied the same-security line I suggested above?

The other option would be a host route in the server for the network. Tell it to use the ProCurve interface of

New Member

Routing on Cisco ASA 5520

Hello Marvin,

     Yes the same-security line has been in place for a while. I have the route in place for the network to use the gateway on the ASA. It works fine. The issue is when I try to access anything on th network from PC 2 I cannot get anywhere. I've had Cisco technical support for help but we are all hitting a wall on this. There is something with the ASA and how it handles the SYN with Asymmetrical routing that I am having challenges. Any suggestions would be appreciated.

Thank you


Hall of Fame Super Silver

Re: Routing on Cisco ASA 5520

Hmm yes I could see that might well be a problem.

Since the ProCurve sees the as connected it will normally just arp for hosts when it has a packet to forward onwards to a destination in that network. You could put a static route in the ProCurve for your servers's host addresses to go via the ASA inside interface making any /32 static be preferred over the /16 connected. That would make your routing symmetric.