Solution: The ASAs were blocking this, thinking it was some sort of spoofing problem. See what happened below.
I had a problem come up not too long ago at a customer where their Cisco ASA was seeing traffic FROM their internal network TO their internal network. This was odd, since there was a layer 3 port on the Brocade core connected to the HA ASAs. The ASAs were on a 10.10.1.X network (a vlan on the Brocade), and the internal network was just a vlan off that same Brocade switch. You can see this is not normal behavior, since all internal traffic sourced from and destined to would all be layer 2 only traffic. Below is the diagram of the network (generically), and the capture I took to troubleshoot IF the traffic was really being seen by the ASAs.
So, what I found was that there is a trunk port on the core switch to the ASAs. The ASAs have subinterfaces on them, and the Brocade had the internal network as part of the trunk port (or tagged port in Brocade). When I took the tagged port that was connected to the ASA out of the internal vlan (vlan 1 in this case), all started working ok again. Now, the ASAs wont see the traffic anymore.
This was a configuration problem that took place. So when configuring your trunk ports, make sure you only have the vlans that need to be there. In this case of the ASAs, I only needed the vlans that matched the ASAs subinterfaces.
No comments:
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.