Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 with double interfaces, connections fail.

Good day guys,

I have scratched my head until bleeding with the following issue which I can’t seem to resolve.   We have an ASA 5510 with 2 interfaces one for voice and the other for data on the inside and on the outside.  Please refer to the attached diagram and configuration. 

On the router before the switch, I have routed all voice traffic to use the “inside voice” and all data traffic to use the “inside data” interfaces of the ASA as the next hop.  On the ASA I have routed the outgoing and my subnets accordingly.

If I have traffic going from the “inside voice” to “outside voice” and “inside data” to “outside data” everything works like a champ.  However if I have traffic going from “inside data” to “outside voice” or “inside voice” to “outside data”, the applications do not connect.  Sometimes I see a “Routing Failed” message and most of the times I see a “Deny (no connection)”.

Routing failed to locate next hop for TCP from WAN_DATOS:a.x.10.5/22 to LAN_DATOS:

Deny TCP (no connection) from b.x.248.37/61440 to flags RST ACK on interface WAN_VOZ

I have made a packet capture from the ASA and I see a bunch of RST, ACK on the “inside” and SYN on the “outside”

I know for a fact that if the routing is done to correspond with the interfaces the applications on those subnets start to work but the others fail.

I have tried the “same-security-traffic permit intra-interface” and “same-security-traffic permit inter-interface” and did not work either.

Any help would be appreciated.


interface Ethernet0/0

nameif WAN_DATOS

security-level 0

ip address


interface Ethernet0/1

nameif LAN_DATOS

security-level 100

ip address


interface Ethernet0/2

nameif WAN_VOZ

security-level 0

ip address


interface Ethernet0/3

nameif LAN_VOZ

security-level 100

ip address


object network OPS-NET-17-5


object network DATA-NET

subnet a.x.10.0

object network DATA-NET2

subnet a.x.14.0

object network DATA-NET3

subnet a.x.173.0

object network NAT_DATA_13


object-group network DM_INLINE_NETWORK_1

network-object b.x.248.0

network-object b.x.252.0

network-object host b.x.10.5

network-object host b.x.14.27

object-group network DM_INLINE_NETWORK_3





object-group network DM_INLINE_NETWORK_12

network-object object DATA-NET

network-object object DATA-NET2

network-object object DATA-NET3

access-list WAN_VOZ_access_in extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_3

access-list LAN_VOZ_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list LAN_DATOS_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list WAN_DATOS_access_in extended permit ip object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_NETWORK_3


nat (any,WAN_DATOS) source dynamic OPS-NET-17-5 NAT_DATA_13


route LAN_VOZ 1

route LAN_VOZ 1

route LAN_VOZ 1

route WAN_DATOS a.x.10.0 1

route WAN_DATOS a.x.14.0 1

route WAN_DATOS a.x.173.0 1

route WAN_VOZ b.x.248.0 1

route WAN_VOZ b.x.252.0 1

Everyone's tags (2)