topic asa 5520 sub interface issue in Network Security

asa 5520 sub interface issue

Adamzhang — Mon, 11 Mar 2019 18:32:41 GMT

Hi,

My ASA 5520 is version 8.2(1).

I configured two subinterfaces:

interface GigabitEthernet0/3.1
vlan 272
nameif WN
security-level 50
ip address 10.227.2.254 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3.2
vlan 275
nameif WN275
security-level 50
ip address 10.227.5.254 255.255.255.0
ospf cost 10

Users in vlan 272 work fine, but users in vlan 275 can't even ping the gateway 10.227.5.254.

I can't find anything wrong. Only one strange thing I noticed when I do a "sh int ip bri" is the METHOD is different, see below. For Gi0/3.2 it is "manual", rather than "config".

GigabitEthernet0/3.1 10.227.2.254 YES CONFIG up up
GigabitEthernet0/3.2 10.227.5.254 YES manual up up

I guess if I can get that "manual" changed to "config", I will have a better chance to get vlan275 to work.

How can I do that? Why it is "manual"?

Thanks heaps.

Adam

Re: asa 5520 sub interface issue

Jennifer Halim — Tue, 31 Aug 2010 08:50:23 GMT

The switch port that connects to the ASA interface gig0/3, I believe is a trunk port (dot1q), and please make sure that you allow VLAN 275 in that trunk port, and you also have VLAN 275 in your vlan database.

Would also like to find out if there is any ICMP policy configured on the ASA that might be blocking ping. Pls check "sh run icmp" output.

Re: asa 5520 sub interface issue

Nagaraja Thanthry — Tue, 31 Aug 2010 13:26:52 GMT

Hello,

What is the native vlan on that trunk? If the native vlan is 275, then

change the native vlan to something that is not used in the network (say

900). Since there is no native vlan concept in the firewall subinterface, it

will expect all packets to be tagged for the subinterfaces.

Hope this helps.

Regards,

Re: asa 5520 sub interface issue

Adamzhang — Wed, 01 Sep 2010 02:14:22 GMT

"Switchport trunk allowed vlan add 275" fixed the problem.

Thanks a lot Halijenn.

Adam

Re: asa 5520 sub interface issue

Allen P Chen — Wed, 01 Sep 2010 02:48:07 GMT

With regards to the "CONFIG" and "manual" keywords,

GigabitEthernet0/3.1 10.227.2.254 YES CONFIG up up
GigabitEthernet0/3.2 10.227.5.254 YES manual up up

CONFIG indicates that the IP address for GigabitEthernet0/3.1 was loaded from the startup config. Manual indicates that the device has not been reloaded since the IP address was assigned to GigabitEthernet0/3.2. The same interface will display CONFIG once the device is reloaded.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s3.html#wp1464786

Re: asa 5520 sub interface issue

Adamzhang — Wed, 01 Sep 2010 02:53:22 GMT

Hi Allen,

Thanks for explaining. That is very good to know.

Adam