topic Re: ASA 5520 Sub Interface problems in Network Security

ASA 5520 Sub Interface problems

jason.scott — Mon, 11 Mar 2019 09:52:15 GMT

Hi All,

Another question 😞

On an ASA 5520 I am trying to configure sub interfaces. However was created I am unable to ping that sub interfaces address from anywhere outside of its subnet. The setup is as follows:

GIG0/0 Inside, 10.177.8.41, 255.255.255.248, Native, Security level 100

GIG0/0.27 Test, 10.177.27.240, 255.255.255.0, Vlan 27, Security level 100

GIG0/1 Outside, 1.1.1.1, 255.255.255.248, Native, Security level 0

Configured routes are:

10.177.0.0, 255.255.128.0 > 10.177.8.46

If I ping from a device within the 10.177.27.x subnet I can reach the Test subinterface. If I ping from outside of that subnet (ie from my machine of 10.177.29.251) I get no response. The logs on the ASA show the following:

110003 Routing failed to locate next hop for icmp from Test:10.177.27.240/0 to Test:10.177.29.251/0

On my switch which connects the ASA to the network I have the uplink configured as untagged for the 10.177.8.40 network and tagged for vlan 27 (10.177.27.0/24).

I've looked through the Cisco Press book and the online docs and followed everything mentioned. The behaviour of the failed pings is typical of devices configured without any default gateway. I would imagine the routing on the box should take care of that.

I've also tried enabling communication between interfaces with the same security level or between multiple hosts on the same interface.

Any help greatly appreciated.

Re: ASA 5520 Sub Interface problems

DfyAnt — Tue, 27 Mar 2007 13:34:42 GMT

You need to setup a trunk between the ASA and a router. Remember, the ASA is not a router and cannot route between vlans.

Re: ASA 5520 Sub Interface problems

abinjola — Wed, 28 Mar 2007 01:15:30 GMT

dont scratch your head on this anymore...its not ya fault

Check this bug CSCsd85281

http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl

Re: ASA 5520 Sub Interface problems

vitripat — Wed, 28 Mar 2007 01:43:39 GMT

Hello Jason,

It seems that issue is neither with the trunking, nor with the bug as mentioned previously on this post.

ASA is behaving as it is expected to. Let me explain.

Test interface connects directly to 10.177.27.0/24 network only. Then you have the route-

10.177.0.0 255.255.128.0 --> 10.177.8.46

Now you are initiating PING from 10.177.29.251, which as per the configuration of ASA is on the Native interface, because the above route points to 10.177.8.46, which is part of the Native interface.

So logically, your host which is on the Native interface, is trying to ping altogether a different interface of ASA. This is simply not possible. ASA does not allow to ping the other side interface from a host on a different interface. Please refer to following link for the same-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown

However, if you requirement is that 10.177.29.251 should be in vlan27, then we need to make configuration changes on the ASA.

Let me know if this explains the bhaviour of ASA. Hope this helps.

Regards,

Vibhor.

Re: ASA 5520 Sub Interface problems

DfyAnt — Wed, 28 Mar 2007 04:37:03 GMT

I can ping from one interface to another on my firewall. I have icmp enable of course.

By the way, your link is for PIX Software Versions 4.1(6) to 4.2(2).

I dont agree with you.

Re: ASA 5520 Sub Interface problems

jason.scott — Wed, 28 Mar 2007 07:01:02 GMT

Thanks Vibhor. I started to think along these lines yesterday and come to the same conclusion. Presumably however if some ACLs were configured I should be able to permit some traffic between hosts on these interfaces (ie inside > dmz sub interface or reverse)?

It makes sense that by default the networks on the sub interfaces are seperate - just as they would be in a physical port configuration.

Re: ASA 5520 Sub Interface problems

jason.scott — Wed, 28 Mar 2007 07:04:03 GMT

Hrm, that sounds like it should be the cause, however we're running 7.2(10) which I believe includes the fix for this particular bug.

Having said that I would've thought the ASA would return a message stating the packet was denied because of internal policies rather than complaining of a routing issue.

Re: ASA 5520 Sub Interface problems

vitripat — Wed, 28 Mar 2007 07:52:42 GMT

It seems that you have not at all understood what I explained and gave your opinion. First off, we were not talking about pinging the firewalls interfaces from firewall itself. We were talking about pinging firewalls interface from a host on different interface. I hope you understand this now.

Next, it seems that you didnt carefully read the link posted also. Here is a line from the link-

"Components Used

The information in this document is based on PIX Software versions 4.1(6) and later."

This looks very contradictory to your statement- "By the way, your link is for PIX Software Versions 4.1(6) to 4.2(2)."

I hope you are clear on this now. Let me know if you need further clarifications.

Regards,

Vibhor.

Re: ASA 5520 Sub Interface problems

vitripat — Wed, 28 Mar 2007 07:55:47 GMT

Absolutely. If you need to allow hosts on Native interface to be able to ping hosts on the vlan27 interface, we can do so using static/access-lists etc.

On the same link I mentioned earlier, it explains how to permit ICMP traffic through (through because traffic is supposed to pass 2 interfaces and traverse logically through PIX) PIX-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Hope this helps.

Regards,

Vibhor.

Re: ASA 5520 Sub Interface problems

hoogen_82 — Wed, 28 Mar 2007 11:10:21 GMT

Hmm.. Once you have enabled the same security intra interface, do you have dynamic nat statements already present in the config? You need to do a no nat configuration to allow access between these hosts.

-Hoogen