cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1842
Views
15
Helpful
12
Replies

ASA5520 not comunicating between vlans

Martin
Level 1
Level 1

Hi,

 

I have an ASA5520 and have cofigure multiple VLANs but i wish for it to comunicated between 2 of the (10 and 100) i have configured intra interface and also the nat rules to comunicate between each other but yet it still will not talk accross VLAN 10 and 100.

I have attached the configs, i have an ASA5520, a 887va atcing as a dhcp server on dhcp relay from the ASA and a 3750 switch

1 Accepted Solution

Accepted Solutions

let me summaries why you can and why you cant.

 

1. your Network-Managment (GigabitEthernet0/0.100) and Chatterton-Net (interface GigabitEthernet0/0.10) and the  management (Management0/0) they all are at level 100. on top on this you have configured following commands

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

now if you ping from a pc in Network-Managment to Chatterton-Net or to management the ping will be sucessfull however, you to try to open a ASDM from these this will not work. as you only define certain subnet/ip addresses to get connected to ASDM which are,

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.20.100.0 255.255.255.0 Network-Managment

which mean you need to be in these ip address/es range (subnet) in order to open the ASDM.

 

also remember the ASA do a statefull inspection. what ever initate from level 100 with nat rules can go out. nothing can come in from outside unless you define a ACL rule.

 

 

 

please do not forget to rate. if i help you.

 

please do not forget to rate.

View solution in original post

12 Replies 12

Apply this

interface GigabitEthernet0/0.100
no management-only

Mohammed al Baqari is right. And put in that way.

!
interface GigabitEthernet0/0.100
 description management-only
 vlan 100
 nameif Network-Managment
 security-level 100
 ip address 10.20.100.1 255.255.255.0

!

can you config if you can ping 10.20.100.4 from the firewall cli?

 

I also understand that firewall is connected to a switch port 1/0/48.

please do not forget to rate.

Thanks guys for the help I will give that a try tonight

 

yes the firewall is connected to 1/0/48 and the dhcp is on 1/0/47

 

I will still be able to access the firewall by the ASDM on 10.20.100.1?

yes thats correct you would be able to connect to ASDM

I double check you have the config

http 10.20.100.0 255.255.255.0 Network-Managment

!

so once you applied the new config which are

interface GigabitEthernet0/0.100
 description management-only
 vlan 100
 nameif Network-Managment
 security-level 100
 ip address 10.20.100.1 255.255.255.0

!

 

 

please do not forget to rate.

That worked and i can ping the DHCP server 10.20.100.2 and the switch 10.20.100.4 but i cant ping the asa on 10.20.100.1

 

any ideas?

ok let me see you config you posted earlier.

please do not forget to rate.

from switch when you to ASA do in this order

 

ping 10.20.100.1 source vlan 100

also please confirm if you can access the https://10.20.100.1

please do not forget to rate.

i can ping 10.20.100.1 from the ASA but i can't ping it from a pc connected to vlan 10

 

i cant access the web page either from a pc on vlan 10, its fine if i move the pc to vlan 100

 

i cant access the web page either from a pc on vlan 10, its fine if i move the pc to vlan 100

what web page you trying to open and its not working? are you try to open a page 10.20.100.1 from vlan 10. this wont work as we do not allow in our rule.

 

can you google from vlan 10?

 

i can ping 10.20.100.1 from the ASA but i can't ping it from a pc connected to vlan 10

do a ping test from 10.20.100.x to 10.20.100.1

(or)

go to switch cli and give command ping 10.20.100.1 source vlan 100

please do not forget to rate.

I am trying to get onto the web page for the ASA and it will not let me.  I also can get to the ASA via the ASDM on from vlan 100.

I can get onto it by using 10.20.10.1 which is fine and can live with it just cant see why I cant do it when I go to 10.20.100.1

If I put the PC on vlan 100 then I can access the firewall by 10.20.100.1.

 

I don not get any internet on vlan 100 but that's fine I don't want that to access the internet

By design you cannot connect to the ASA on an interface other than the one you entered on.

 

Pings via the ASA will only work if you have enabled icmp inspection. Generally speaking it is better to use a connection-oriented protocol like tcp to test connectivity (i.e. browse to a web server, ssh or telnet to a host etc.)

let me summaries why you can and why you cant.

 

1. your Network-Managment (GigabitEthernet0/0.100) and Chatterton-Net (interface GigabitEthernet0/0.10) and the  management (Management0/0) they all are at level 100. on top on this you have configured following commands

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

now if you ping from a pc in Network-Managment to Chatterton-Net or to management the ping will be sucessfull however, you to try to open a ASDM from these this will not work. as you only define certain subnet/ip addresses to get connected to ASDM which are,

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.20.100.0 255.255.255.0 Network-Managment

which mean you need to be in these ip address/es range (subnet) in order to open the ASDM.

 

also remember the ASA do a statefull inspection. what ever initate from level 100 with nat rules can go out. nothing can come in from outside unless you define a ACL rule.

 

 

 

please do not forget to rate. if i help you.

 

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: