MS 350 behind ASA 5516 won't route traffic

Guest2019
New here

MS 350 behind ASA 5516 won't route traffic

Hello,

 

In all of my previous networks that I've managed i used EIGRP on Cisco ASAs to connect to Catalyst L3 switches and it worked flawlessly with minimal setup.  This is my first L3 Meraki network and I'm having issues getting it to properly route traffic sitting behind an ASA 5516-X.

My inside interface on the ASA is 172.17.10.1/24. On the MS I have 3 vlans, (172.17.10.0/24, 172.17.20.0/24, and 172.17.30.0/24) I configured the uplink route of 0.0.0.0/0 with the next hop being the IP of the inside interface on the ASA, 172.17.10.1.  On the ASA i have static routes for each of the vlans pointing at the IP of the vlan interface.  The management IPs of the Merakis are in the 172.17.10.0/24 range and they can all get to the internet.  However, anything on vlan 20 and 30 can't and I'm at a loss.  A device on vlan 20 or 30 can ping each of the vlans on the device but can't ping the ASA.  Any ideas?

 

Thanks in advance.

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

My first guess is the ASA is not configured to NAT the extra VLANs.

 

My next guess is missing access-list entries on the ASA.

Thanks for the suggestion but it wasn't NAT or ACL. In my current Cisco networks I've avoided using vlan 1 for anything and I was trying to attempting to do the same on this network but Meraki makes that pretty difficult to do.  I had vlan 10 set as the native vlan which apparently was causing the issues.  Once I added vlan 1 as a transit vlan to the 350 and pointed the ASA static route at that and set it as the native vlan on the Meraki switches it worked.  If anyone has any ideas on how to eliminate vlan 1 from the environment i'm all ears.

 

Thanks again for the suggestions.

PhilipDAth
Kind of a big deal
Kind of a big deal

>On the ASA i have static routes for each of the vlans pointing at the IP of the vlan interface

 

Specifically this needs to be the VLAN interface with a 172.17.10.x/24 address.

 

 

It is also possible you have a subnet mask wrong somewhere.

cmr
Kind of a big deal
Kind of a big deal

What device is routing between the VLANs, if the MS is doing it then on the ASA all traffic should go to one of them, say the 10 VLAN

Get notified when there are additional replies to this discussion.