Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 with double interfaces, connections fail.

Good day guys,

I have scratched my head until bleeding with the following issue which I can’t seem to resolve.   We have an ASA 5510 with 2 interfaces one for voice and the other for data on the inside and on the outside.  Please refer to the attached diagram and configuration. 

On the router before the switch, I have routed all voice traffic to use the “inside voice” and all data traffic to use the “inside data” interfaces of the ASA as the next hop.  On the ASA I have routed the outgoing and my subnets accordingly.

If I have traffic going from the “inside voice” to “outside voice” and “inside data” to “outside data” everything works like a champ.  However if I have traffic going from “inside data” to “outside voice” or “inside voice” to “outside data”, the applications do not connect.  Sometimes I see a “Routing Failed” message and most of the times I see a “Deny (no connection)”.

Routing failed to locate next hop for TCP from WAN_DATOS:a.x.10.5/22 to LAN_DATOS:192.168.17.236/1102

Deny TCP (no connection) from b.x.248.37/61440 to 192.168.17.236/13926 flags RST ACK on interface WAN_VOZ

I have made a packet capture from the ASA and I see a bunch of RST, ACK on the “inside” and SYN on the “outside”

I know for a fact that if the routing is done to correspond with the interfaces the applications on those subnets start to work but the others fail.

I have tried the “same-security-traffic permit intra-interface” and “same-security-traffic permit inter-interface” and did not work either.

Any help would be appreciated.

topology2.png

interface Ethernet0/0

nameif WAN_DATOS

security-level 0

ip address 10.116.129.10 255.255.255.252

!

interface Ethernet0/1

nameif LAN_DATOS

security-level 100

ip address 192.168.47.220 255.255.255.0

!

interface Ethernet0/2

nameif WAN_VOZ

security-level 0

ip address 10.116.129.14 255.255.255.252

!

interface Ethernet0/3

nameif LAN_VOZ

security-level 100

ip address 192.168.44.55 255.255.255.0

!

object network OPS-NET-17-5

subnet 192.168.17.128 255.255.255.224

object network DATA-NET

subnet a.x.10.0 255.255.255.0

object network DATA-NET2

subnet a.x.14.0 255.255.255.0

object network DATA-NET3

subnet a.x.173.0 255.255.255.0

object network NAT_DATA_13

host 192.168.60.13

object-group network DM_INLINE_NETWORK_1

network-object b.x.248.0 255.255.255.192

network-object b.x.252.0 255.255.255.192

network-object host b.x.10.5

network-object host b.x.14.27

object-group network DM_INLINE_NETWORK_3

network-object 192.168.121.0 255.255.255.0

network-object 192.168.44.0 255.255.255.0

network-object 192.168.17.0 255.255.255.0

network-object 192.168.21.0 255.255.255.0

object-group network DM_INLINE_NETWORK_12

network-object object DATA-NET

network-object object DATA-NET2

network-object object DATA-NET3

access-list WAN_VOZ_access_in extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_3

access-list LAN_VOZ_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list LAN_DATOS_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list WAN_DATOS_access_in extended permit ip object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_NETWORK_3

!

nat (any,WAN_DATOS) source dynamic OPS-NET-17-5 NAT_DATA_13

!

route LAN_VOZ 192.168.17.0 255.255.255.0 192.168.47.254 1

route LAN_VOZ 192.168.14.0 255.255.255.0 192.168.44.254 1

route LAN_VOZ 192.168.121.0 255.255.255.0 192.168.44.254 1

route WAN_DATOS a.x.10.0 255.255.255.0 10.116.129.9 1

route WAN_DATOS a.x.14.0 255.255.255.0 10.116.129.9 1

route WAN_DATOS a.x.173.0 255.255.255.0 10.116.129.9 1

route WAN_VOZ b.x.248.0 255.255.255.192 10.116.129.13 1

route WAN_VOZ b.x.252.0 255.255.255.192 10.116.129.13 1

Everyone's tags (2)
582
Views
0
Helpful
0
Replies