ASA 5510 – Enable Traffic Between Hosts on the Same Interface

cisco-asa

I have three hosts connected to my ASA; two security cameras and one server running the security software.

All ports belong to one interface, all on the same VLAN. The cameras and server can access each other just fine, but I don't have "Enable traffic between two or more hosts connected to the same interface" selected. Shouldn't that be required for this to work, or am I misunderstanding it?

Best Answer

I don't believe the ASA is considering the ports to "all belong to one interface". One might say they "share" an SVI, but that's unrelated. Traffic between ports of the same VLAN aren't being routed.

The feature you're referring to allows the ASA to 'hairpin' route, or send traffic back out the same interface on which it arrived.

Take for example this contrived topology:

R1, FW1, and R3 share the 10.0.0.0/24 network. R1 has a default route to FW1. R3 is advertising 192.168.0.0/24 to FW1 via EIGRP.

To reach 192.168.0.0/24, R1 uses its default route to FW1, where the traffic ingresses on Gi0/0. FW1 can then route it back out Gi0/0 to R3.

If you do a search for 'ASA allow hairpinning' you'll probably find a few more realistic examples.

Related Solutions

Cisco – ASA vlans on multiple physical interfaces.

The ASA 5520 doesn't have the 'built-in switch' like the ASA 5505 does. To answer your question, you would need to rearrange things...but not necessarily physically. You don't state how the uplink is setup, but if it's switched instead of routed, you should be able to have both core switches reach the ASA without moving cables. Alternatively, or in addition to that, I'd recommend adding a second 5520 and using active/active failover between the two.

On a related side note, you don't typically want WAN/Internet connected directly to the core anyway (following the "modular network design").

Cisco ASA – Moving Interface Names on a Cisco ASA While Maintaining Configuration

Leave the physical port you are using as the untagged VLAN. You can direct that traffic to a VLAN# on your switch by setting the Native VLAN the VLAN# you want that traffic to be on.

Then for every new VLAN you are adding to your ASA, make that a sub interface.

I don't have an ASA to validate this code, but it will look something like this:

interface gig0/0
  nameif ORIGINAL-NAMEIF
  security-level 100

interface gig0/0.20
  vlan 20
  nameif NEW-VLAN-2
  security-level 20

interface gig0/0.30
  vlan 30
  nameif NEW-VLAN-3
  security-level 30

etc. It should allow you to add new sub interfaces without making any changes to your original interface. The "root" interface doesn't include a VLAN tag, so that traffic is unchanged.

You can run it this way indefinitely, or change it so everything is using VLAN tags at a later date when its more convenient for you to bring the network down.

Best Answer

Related Solutions

Cisco – ASA vlans on multiple physical interfaces.

Cisco ASA – Moving Interface Names on a Cisco ASA While Maintaining Configuration

Related Topic