Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing issue with ASA and UC540 phone system - at ASA???


Having an issue with routing from the PC at .242 to the CUE server at The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.

Here are some facts:

1. Can ping the UC540's internal CUE server from the PC ( ping to )

2. Can ping the UC540's VLAN 1 address from the PC ( ping to )

3. The ASA is the default gateway for the PC.

4. I have a route inserted at the asa that is:

               route 1

5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the network isn't otherwise defined on the      ASA.

6. I cannot pull up a web page when I point the browser on the PC to the address

7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :

               route add mask

     Is is only with this route that I am able to get to the web GUI on the phone system.

8. The phone system has a loopback interface at that serves as the gateway for the internal CUE server, the internal CUE server is at

9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at, no issues with this vlan and phones      are connecting to the system fine.

Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.

Here are the routing tables:


Gateway of last resort is to network

C is directly connected, outside

S [1/0] via, outside

S [1/0] via, inside

C is directly connected, inside

S* [1/0] via xx.xx.xx.xx, outside

The UC540 phone system's router side:

Gateway of last resort is xx.xx.xx.xx to network

S* [1/0] via xx.xx.xx.xx is variably subnetted, 7 subnets, 4 masks

C is directly connected, BVI100

L is directly connected, BVI100

C is directly connected, Loopback0

S is directly connected, Integrated-Service-Engine0/0

L is directly connected, Loopback0

C is directly connected, BVI1

L is directly connected, BVI1

      XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0

L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0 is subnetted, 1 subnets

S [1/0] via

The UC540's internal CUE server:

Main Routing Table:

           DEST            GATE            MASK                     IFACE          eth0                       eth0

Any help appreciated!!!


Everyone's tags (4)

Routing issue with ASA and UC540 phone system - at ASA???

Hello, Nathan.

ASA is not usual router - it's a security device.

You might have missed following command to enable intra-interface communication:

same-security-traffic permit intra-interface

New Member

Re: Routing issue with ASA and UC540 phone system - at ASA???

In this instance the ASA is providing the routing for the network. It is a relatively small network. I don't think the intra interface and will help here as the ASA does not have any VLANs configured on it so there is no transfer between security levels, but I'll check tonight. I may be understanding the command incorrectly. The ASA should just be forwarding the traffic to the device at .254. Maybe it is the return traffic that is being blocked? I'll have to run some packet captures when I have the opportunity.

New Member

Hello,Where you able to solve


Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.

I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.

Here is a info page on the TCP State Bypass:

Please let me know how it works out.

CreatePlease login to create content