To make a long story short...I've set up a pair of ASAs (5516) for failover with 3 interfaces/IPs and I'm having a particularly odd issue:
Gi1/1 -- WAN interface (1.1.1.10/24) -- Security level 0
Gi1/2 -- Internal network A (10.1.0.10/24) -- Security level 100
Gi1/3 -- Internal network B (10.2.0.10/24) -- Security level 100
Gi1/4 -- Disabled
Gi1/5 -- Disabled
Gi1/6 -- Disabled
Gi1/7 -- Failover (stateful)
Gi1/8 -- Failover (status)
I'm able to get Gi1/1 and Gi1/2 both working flawlessly with very standard routes:
ip route 10.0.0.0/8 10.1.0.1 (metric 10)
ip route 172.16.0.0/12 10.1.0.1 (metric 10)
ip route 192.168.0.0/16 10.1.0.1 (metric 10)
ip route 0.0.0.0 0.0.0.0 1.1.1.1 (metric 100)
So, I'm just sending everything internal to the gateway for Gi1/2 and everything else going out to the internet via Gi1/1's gateway...but nothing can talk to Gi1/3 with this and that's a problem.
Put another way...10.3.0.100 can talk to 10.1 all day long but 10.2 traffic is broken (due to the static routes?).
I've created a workaround by sub-netting our 10.0.0.0/8 into multiple networks to isolate 10.2 on it's own (so I can add a machine to 10.2 for management/monitoring) but there has to be a better way (which allows 10.3 to talk to 10.1 as well as 10.2).
We don't have anybody specifically doing networking here and I'm just not familiar with ASAs so I'm sure there's a feature I need to go research/implement (my best guess is Bridging, Route Maps or Traffic Zones)...I'm just hoping to get someone to point me in the right direction
Thanks
No comments:
Post a Comment