topic ASA 5506-X-W trunk in Network Security

ASA 5506-X-W trunk

ktoft — Fri, 21 Feb 2020 14:17:22 GMT

I have some trouble creating a "trunk" on the ASA5506-x-w.

On the old 5505 easy switchport trunk etc..

but on the 5506 with sub-interfacec, i have a hard time to get my setup working, (simple setup)

and is a bit embarrassed that i have to ask for help about this, but i am in a dead lock and don't know how to get any further.

the setup:

have a inside network 192.168.1.0/24 vlan10 and have a DMZ 192.168.200.0/24. vlan 200

My main building only have vlan 10 and the other building have both vlan 10 and 200 (Trunk)

from my main building a can reach vlan 200 but not my default vlan 10.

from my other building i can reach vlan 10 and internet.

as is it now in a non working state:

ASA:

interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/3.1
shutdown
vlan 1
bridge-group 1
nameif inside-vlan1
security-level 100
!
interface GigabitEthernet1/3.10
vlan 10
nameif inside-vlan10
security-level 100
no ip address
!
interface GigabitEthernet1/3.200
vlan 200
nameif DMZ
security-level 50
ip address 192.168.200.1 255.255.255.0

interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

Switch:

(can't reach the switch right now, so this is from memmory)

interface gigabit 0/1

switchport mode trunk

switchport mode trunk native vlan 10

switchport allowed vlan 1,20,200

fa interface 0/1

switchport access

swich port access vlan 10

fa interface 0/3

switchport access

swich port access vlan 200

vlan 1,10,200

interface vlan 200

ip add 192.168.1.200/24

default gateway 192.168.1.1

Do anyone know what i am doint wrong?

Br Kevin

Re: ASA 5506-X-W trunk

Francesco Molino — Sat, 09 Sep 2017 23:57:29 GMT

Why are you using bridge-group ?

Your subnets are 192.168.1.0/24 for vlan10 and 192.168.200.0/24 for DMZ.

Have you tried the following configuration?

interface GigabitEthernet1/3

no nameif

no security-level

no ip address

no shutdown

interface GigabitEthernet1/3.10

vlan 10

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

no shutdown

interface GigabitEthernet1/3.200

vlan 200

nameif dmz

security-level 100

ip address 192.168.200.1 255.255.255.0

no shutdown

This configuration is straight forward and standard. Try that and let us know.

Re: ASA 5506-X-W trunk

ktoft — Sun, 10 Sep 2017 05:59:55 GMT

Hi Francesco

Thanks for the reply

I am using bridge-group because i want the "switch" function of the asa.

I have a AP direct attached in gi 0/2 to provide wireless to my house.

I dont have a switch in my main building

And from what i know i have to ude bridge-group to get this function or is there a nother way?

Re: ASA 5506-X-W trunk

Francesco Molino — Sun, 10 Sep 2017 15:21:54 GMT

I missed the part where you don't have switch on your site and this is why you absoluetly need to use bridge-group.

I'm using an ASAv version 9.8 within GNS3 to make it quick.

PC1 is connected on G0/0

PC2 is connected on G0/1

PC3 is connected on G0/2

PC4 and switch are connected to G0/3

ISP router connected to G0/4

I attach the ASA config, then you can take a look how I managed the bridge-group and apply the same philosophy to your asa. It's a very basic config with acl permitting any just to show you how it works.

All PCs can be reached no matter from which vlan you're.

Re: ASA 5506-X-W trunk

ktoft — Mon, 11 Sep 2017 20:39:49 GMT

HI franccesco

sorry to say still cant get it to work?

i got it to semi work, i could reach the guest house from the main house, as i want but then the guest house lost its internet access.. Hmmm and now back to only being able to reach vlan 200

i have changed vlan 10 to 1 just to see if that did anything good.

cant figure out what i am doing wrong.. here is my config

Switch config:

version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xx
!
clock timezone cet 1
clock summer-time ECTD recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
ip dhcp excluded-address 192.168.200.1 192.168.200.5
!
ip dhcp pool xx-pool
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1
   dns-server 8.8.8.8 8.8.4.4
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport mode access
random-detect
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/4
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/5
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/6
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/7
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/8
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode trunk
no keepalive
spanning-tree portfast
!
interface Vlan1
ip address 192.168.1.200 255.255.255.0
no ip route-cache
!
interface Vlan200
ip address 192.168.200.2 255.255.255.0
no ip route-cache
shutdown
!
ip default-gateway 192.168.1.1
ip http server
banner motd ^CCC
UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged, any violations of this policy will be
prosecuted.
^C
!
line con 0
exec-timeout 90 0
logging synchronous
line vty 0 4
logging synchronous
login
line vty 5 15
logging synchronous
login
!
ntp clock-period 17180147
ntp server
!
end

ASA config:

hostname
names
ip local pool vpn_subnet 192.168.100.10-192.168.100.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
no nameif
no security-level
!
interface GigabitEthernet1/3.10
vlan 1
bridge-group 1
nameif Inside_vlan1
security-level 100
!
interface GigabitEthernet1/3.200
vlan 200
bridge-group 2
nameif DMZ_vlan200
security-level 50
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface GigabitEthernet1/9
nameif wifi
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI2
nameif DMZ
security-level 50
ip address 192.168.200.1 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network obj_any_wifi

nat (wifi,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside

!
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 192.168.10.2-192.168.10.254 wifi
dhcpd enable wifi
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside

Re: ASA 5506-X-W trunk

ktoft — Mon, 11 Sep 2017 21:08:05 GMT

Hi Francesco

Thanks for the effert.

But i still cant make it work, or i got it to semi work.. i could reach the guest houe as wanted but then the guest house lost it's internet connection??

i have tryed to change vlan 10 to 1 just to see if that did anything good, but it didnt.

i am still able to reach vlan 200

im lost... 😞

ASA config:

hostname xx
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif null
security-level 0
!
interface GigabitEthernet1/3.10
vlan 1
bridge-group 1
nameif Inside_vlan1
security-level 100
!
interface GigabitEthernet1/3.200
vlan 200
bridge-group 2
nameif DMZ_vlan200
security-level 50
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface GigabitEthernet1/9
nameif wifi
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI2
nameif DMZ
security-level 50
ip address 192.168.200.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

Switch config:

hostname xx

!
clock timezone cet 1
clock summer-time ECTD recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
ip dhcp excluded-address 192.168.200.1 192.168.200.5
!
ip dhcp pool xx-pool
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1
   dns-server 8.8.8.8 8.8.4.4
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet0/1
description Bio_router
switchport mode access
random-detect
spanning-tree portfast
!
interface FastEthernet0/2
description Intel NUC port 0/1
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/4
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/5
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/6
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/7
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface FastEthernet0/8
switchport mode access
shutdown
random-detect
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode trunk
no keepalive
spanning-tree portfast
!
interface Vlan1
ip address 192.168.1.200 255.255.255.0
no ip route-cache
!
interface Vlan200
ip address 192.168.200.2 255.255.255.0
no ip route-cache
shutdown
!
ip default-gateway 192.168.1.1
ip http server
banner motd ^CCC
UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged, any violations of this policy will be
prosecuted.
^C
!
line con 0
exec-timeout 90 0
logging synchronous
line vty 0 4
logging synchronous
login
line vty 5 15
logging synchronous
login
!
ntp clock-period 17180147
!
end

Re: ASA 5506-X-W trunk

Maykol Rojas — Mon, 11 Sep 2017 21:18:15 GMT

Do you have an IP address for both Bridge groups? Do you have SVIs on the switch?

Mike.

Re: ASA 5506-X-W trunk

ktoft — Mon, 11 Sep 2017 21:29:05 GMT

Hi Mike

taken from the config i have uploaded:

ASA:

interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI2
nameif DMZ
security-level 50
ip address 192.168.200.1 255.255.255.0

Switch:

nterface Vlan1
ip address 192.168.1.200 255.255.255.0
no ip route-cache

Re: ASA 5506-X-W trunk

Maykol Rojas — Mon, 11 Sep 2017 21:33:35 GMT

OK, what happens if you try to ping devices on both vlans? Do you have ARP entries for both vlans?

Show ARP.

Re: ASA 5506-X-W trunk

ktoft — Mon, 11 Sep 2017 21:55:28 GMT

From the ASA

ping 192.168.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

sh arp
        outside 192.168.2.1 e0b9.e59a.6946 14
        DMZ 192.168.200.5 c03f.d561.85c2 3570
        wifi 192.168.10.2 0042.5ad0.00b4 170
        inside 192.168.1.5 8019.343f.0fe8 0
        inside 192.168.1.10 5840.4e1b.26fa 35
        inside 192.168.1.12 b827.eb73.2b54 48
        inside 192.168.1.120 c097.2716.a246 487
        inside 192.168.1.8 484b.aab9.8ca7 870
        inside 192.168.1.6 5032.75a9.fed5 1728
        inside 192.168.1.2 d850.e6af.17b0 5524
        inside 192.168.1.200 0011.5cfa.4440 6934
        inside 192.168.1.7 f48c.5079.595a 8781
        inside 192.168.1.9 0024.e415.3ddc 10980
        inside 192.168.1.30 f48c.5079.595a 11384
        inside 192.168.1.29 484b.aab9.8ca7 12782
        inside 192.168.1.28 5840.4e1b.26fa 13097
        inside 192.168.1.22 5032.75a9.fed5 13177
        inside 192.168.1.19 8019.343f.0fe8 13268

From switch:

ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
Bio-Switch#ping 192.168.200.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
Bio-Switch#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 192.168.1.1            75   286f.7fd1.39d3 ARPA   Vlan1
Internet 192.168.1.200           -   0011.5cfa.4440 ARPA   Vlan1
Internet 192.168.200.2           -   0011.5cfa.4440 ARPA   Vlan200

if i take the switch port fa0/1 direct into my computer i am getting:

Spanning-tree-(for-briges)_00

5 times and the loop

and 5 time again over and over

dont get any dhcp from the ASA

Dont know if that means anything?

Re: ASA 5506-X-W trunk

Francesco Molino — Tue, 12 Sep 2017 00:10:43 GMT

Hi

On interface GigabitEthernet1/3, you have configured some stuff and you don't have because the config is done on sub-interfaces:

interface GigabitEthernet1/3
no bridge-group 1
no nameif null
no security-level 0

For the nat, I trust what you did but I don't see your groups like obj_any1

On the switch the svi vlan 200 is down. Is that normal?
What is the default gateway for vlan 1 and vlan 200 hosts?

Then, when you're doing ping tests, do it from the device to ping another device. Don't use ASA to make ping tests.

Re: ASA 5506-X-W trunk

jumora1 — Tue, 12 Sep 2017 12:17:13 GMT

I would either suggest to open a ticket with TAC or get into a call so we can take a look at this together? is the firewall facing the Internet so I can help you configure?

I just recently stopped working for TAC so I think I still have it.

Re: ASA 5506-X-W trunk

ktoft — Tue, 12 Sep 2017 13:16:55 GMT

Hi Again

Now i have made a small simple setup at work with new equipment similar to mine just to see if this ware a problem with my equipment.

Have anyone actually tried this and made this work?

Why can i access cross networks but not connect to something that is connected to the same network?

Have anyone made this work, or is this a bug and TAC have to look into?

here is the config and test from pc to the other equipment

So in the ASA the 'white cable' is vlan 10 connected to the computer

and the 'grey cable' is a trunk to the switch

Here is the config and test

hostname Switch
!
ip subnet-zero
!
vtp domain DKCPH-TERM
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan 10
name inside
!
vlan 200
name DMZ
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
switchport mode trunk
spanning-tree portfast trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan10
ip address 192.168.1.200 255.255.255.0
no ip route-cache
!
interface Vlan200
ip address 192.168.200.2 255.255.255.0
no ip route-cache
shutdown
!
ip default-gateway 192.168.1.1
ip http server
!
line con 0
line vty 5 15
!
!
end
------------------------------------------------------------------------

Switch#sh interfaces trunk

Port        Mode         Encapsulation Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port      Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,10,200

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,200

---------------------------------------------------------------------------
ASA
ASA Version 9.8(1)
!
hostname ciscoasa
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3.10
vlan 10
bridge-group 1
nameif Inside_vlan10
security-level 100
!
interface GigabitEthernet1/3.200
vlan 200
bridge-group 2
nameif DMZ_vlan200
security-level 50
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI2
nameif DMZ
security-level 50
ip address 192.168.200.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network inside
subnet 192.168.1.0 255.255.255.0
object network DMZ
subnet 192.168.200.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo-reply
service-object icmp echo
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object icmp echo
service-object icmp echo-reply
access-list DMZ_vlan200_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0 inactive
access-list DMZ_vlan200_access_in extended permit ip any any
access-list Inside_vlan10_access_in extended permit object-group DM_INLINE_SERVICE_5 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 inactive
access-list Inside_vlan10_access_in extended permit ip any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any inactive
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
mtu Inside_vlan10 1500
mtu DMZ_vlan200 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
access-group inside_access_in in interface inside
access-group Inside_vlan10_access_in in interface Inside_vlan10
access-group DMZ_access_in in interface DMZ
access-group DMZ_vlan200_access_in in interface DMZ_vlan200
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
http 192.168.1.0 255.255.255.0 Inside_vlan10
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
dhcpd address 192.168.200.5-192.168.200.254 DMZ
dhcpd enable DMZ
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:306ca950ee815065e3ff375b5914fa6f
: end

-------------------------------
ciscoasa# sh arp
        inside 192.168.1.25 0023.2461.e54b 7
        inside 192.168.1.7 c85b.7674.8284 9
        inside 192.168.1.200 0019.55fb.f080 1390
        DMZ 192.168.200.25 0090.e85f.b57a 641
--------------------------------------------------------------
Ping from PC on vlan10 in ASA
Ping statistics for 192.168.1.25:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
---------------------------------------------------------------
Pinging 192.168.1.200 with 32 bytes of data:
Reply from 192.168.1.7: Destination host unreachable.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.200:
    Packets: Sent = 3, Received = 1, Lost = 2 (66% loss),
--------------------------------------------------------------
Pinging 192.168.200.25 with 32 bytes of data:
Reply from 192.168.200.25: bytes=32 time=1ms TTL=255
Reply from 192.168.200.25: bytes=32 time=2ms TTL=255
Reply from 192.168.200.25: bytes=32 time=2ms TTL=255
Reply from 192.168.200.25: bytes=32 time=2ms TTL=255

Ping statistics for 192.168.200.25:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

Re: ASA 5506-X-W trunk

jumora1 — Tue, 12 Sep 2017 15:43:48 GMT

Remove the vlan 10 address from the switch please and test

Re: ASA 5506-X-W trunk

jumora1 — Tue, 12 Sep 2017 15:50:00 GMT

Please remove the vlan 10 address from the switch and please and test. it seems as if you have two devices doing the inter vlan routing

Re: ASA 5506-X-W trunk

Francesco Molino — Wed, 13 Sep 2017 01:18:59 GMT

Hi

OK let's do it simple.
Remove svi from the switch and do no ip routing.
On all devices, their gateway should be the asa. Then test it and let us know.

Re: ASA 5506-X-W trunk

ktoft — Wed, 13 Sep 2017 08:52:28 GMT

Have noone ever made a "trunk" from a ASA5506 to a switch before and got it to work?

thanks for the suggestions but still no luck 😞

I did try to switch out the old 2940 to a new 2960-cx switch to see if there where an IOS bug on the switch but the outcome where exactly the same.

The ASA config is the same no changes for previous post.

Can't ping on the same subnet 192.168.1.0/24 cross the "trunk" on the ASA

As you can see from the test below, the switch can see both the equipment on vlan 10 and 200 on the correct ports.

And the test computer connected to the switch 192.168.1.25 can ping its gateway 192.168.1.1 (ASA)

The ASA is DHCP server to the computer connected to directly to it 192.168.1.10

So $$ question is why cant the ASA find the way when it is gateway for computer 192.168.1.25 and DHCP server for computer 192.168.1.10 ARHHH....!

here are the resaults:

Switch#sh mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
All    0019.55fb.f080    STATIC      CPU
All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0100.0cdd.dddd    STATIC      CPU
Total Mac Addresses for this criterion: 4
Switch#sh mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
All    0019.55fb.f080    STATIC      CPU
All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0100.0cdd.dddd    STATIC      CPU
200    0090.e85f.b57a    DYNAMIC     Fa0/2
200    00a6.ca07.54f1    DYNAMIC     Gi0/1
10    0023.2461.e54b    DYNAMIC     Fa0/1
10    00a6.ca07.54f1    DYNAMIC     Gi0/1
Total Mac Addresses for this criterion: 8

--------------------------------------------------------------------
From PC direct connected to ASA

Vlan10 network
Pinging 192.168.1.25 with 32 bytes of data:
Reply from 192.168.1.10: Destination host unreachable.
Reply from 192.168.1.10: Destination host unreachable.
Reply from 192.168.1.10: Destination host unreachable.
Reply from 192.168.1.10: Destination host unreachable.

Ping statistics for 192.168.1.25:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

------------------------------------------------------------------
vlan200 network
Pinging 192.168.200.25 with 32 bytes of data:
Reply from 192.168.200.25: bytes=32 time=1ms TTL=255
Reply from 192.168.200.25: bytes=32 time=1ms TTL=255

-------------------------------------------------------------------

From PC direct connected to Switch

Vlan10 network
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
------------------------------------------------------------------

Vlan10 network
Pinging 192.168.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

----------------------------------------------------------------------
switc config

hostname Switch
!
!
ip subnet-zero
!
vtp domain DKCPH-TERM
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan 10
name inside
!
vlan 200
name DMZ
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
switchport mode trunk
spanning-tree portfast trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip default-gateway 192.168.1.1
ip http server
!
line con 0
line vty 5 15
!
!
end

Re: ASA 5506-X-W trunk

Francesco Molino — Wed, 13 Sep 2017 22:03:46 GMT

Hi

We are probably in a different timezone but is it possible to plan a troubleshooting session through a teamviewer or webex?

Re: ASA 5506-X-W trunk

ktoft — Thu, 14 Sep 2017 06:46:12 GMT

Hi Francesco

If you think that it is possible to make this setup, then yes it would be helpful

I am in time zone UTC +2 CEST, I have written you a private message.

of course if anyone have some suggestions you are more than welcome to continue to write this

Br Kevin

Re: ASA 5506-X-W trunk

jumora1 — Thu, 14 Sep 2017 12:00:33 GMT

You need a webex to get this solved.