cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


497
Views
15
Helpful
12
Replies
Beginner

ASA5520 not comunicating between vlans

Hi,

 

I have an ASA5520 and have cofigure multiple VLANs but i wish for it to comunicated between 2 of the (10 and 100) i have configured intra interface and also the nat rules to comunicate between each other but yet it still will not talk accross VLAN 10 and 100.

I have attached the configs, i have an ASA5520, a 887va atcing as a dhcp server on dhcp relay from the ASA and a 3750 switch

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: ASA5520 not comunicating between vlans

let me summaries why you can and why you cant.

 

1. your Network-Managment (GigabitEthernet0/0.100) and Chatterton-Net (interface GigabitEthernet0/0.10) and the  management (Management0/0) they all are at level 100. on top on this you have configured following commands

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

now if you ping from a pc in Network-Managment to Chatterton-Net or to management the ping will be sucessfull however, you to try to open a ASDM from these this will not work. as you only define certain subnet/ip addresses to get connected to ASDM which are,

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.20.100.0 255.255.255.0 Network-Managment

which mean you need to be in these ip address/es range (subnet) in order to open the ASDM.

 

also remember the ASA do a statefull inspection. what ever initate from level 100 with nat rules can go out. nothing can come in from outside unless you define a ACL rule.

 

 

 

please do not forget to rate. if i help you.

 

please do not forget to rate.
12 REPLIES 12
VIP Advisor

Re: ASA5520 not comunicating between vlans

Apply this

interface GigabitEthernet0/0.100
no management-only
Rising star

Re: ASA5520 not comunicating between vlans

Mohammed al Baqari is right. And put in that way.

!
interface GigabitEthernet0/0.100
 description management-only
 vlan 100
 nameif Network-Managment
 security-level 100
 ip address 10.20.100.1 255.255.255.0

!

can you config if you can ping 10.20.100.4 from the firewall cli?

 

I also understand that firewall is connected to a switch port 1/0/48.

please do not forget to rate.
Beginner

Re: ASA5520 not comunicating between vlans

Thanks guys for the help I will give that a try tonight

 

yes the firewall is connected to 1/0/48 and the dhcp is on 1/0/47

 

I will still be able to access the firewall by the ASDM on 10.20.100.1?

Rising star

Re: ASA5520 not comunicating between vlans

yes thats correct you would be able to connect to ASDM

I double check you have the config

http 10.20.100.0 255.255.255.0 Network-Managment

!

so once you applied the new config which are

interface GigabitEthernet0/0.100
 description management-only
 vlan 100
 nameif Network-Managment
 security-level 100
 ip address 10.20.100.1 255.255.255.0

!

 

 

please do not forget to rate.
Beginner

Re: ASA5520 not comunicating between vlans

That worked and i can ping the DHCP server 10.20.100.2 and the switch 10.20.100.4 but i cant ping the asa on 10.20.100.1

 

any ideas?

Rising star

Re: ASA5520 not comunicating between vlans

ok let me see you config you posted earlier.

please do not forget to rate.
Rising star

Re: ASA5520 not comunicating between vlans

from switch when you to ASA do in this order

 

ping 10.20.100.1 source vlan 100

also please confirm if you can access the https://10.20.100.1

please do not forget to rate.
Beginner

Re: ASA5520 not comunicating between vlans

i can ping 10.20.100.1 from the ASA but i can't ping it from a pc connected to vlan 10

 

i cant access the web page either from a pc on vlan 10, its fine if i move the pc to vlan 100

Rising star

Re: ASA5520 not comunicating between vlans

 

i cant access the web page either from a pc on vlan 10, its fine if i move the pc to vlan 100

what web page you trying to open and its not working? are you try to open a page 10.20.100.1 from vlan 10. this wont work as we do not allow in our rule.

 

can you google from vlan 10?

 

i can ping 10.20.100.1 from the ASA but i can't ping it from a pc connected to vlan 10

do a ping test from 10.20.100.x to 10.20.100.1

(or)

go to switch cli and give command ping 10.20.100.1 source vlan 100

please do not forget to rate.
Beginner

Re: ASA5520 not comunicating between vlans

I am trying to get onto the web page for the ASA and it will not let me.  I also can get to the ASA via the ASDM on from vlan 100.

I can get onto it by using 10.20.10.1 which is fine and can live with it just cant see why I cant do it when I go to 10.20.100.1

If I put the PC on vlan 100 then I can access the firewall by 10.20.100.1.

 

I don not get any internet on vlan 100 but that's fine I don't want that to access the internet

Highlighted
Hall of Fame Master

Re: ASA5520 not comunicating between vlans

By design you cannot connect to the ASA on an interface other than the one you entered on.

 

Pings via the ASA will only work if you have enabled icmp inspection. Generally speaking it is better to use a connection-oriented protocol like tcp to test connectivity (i.e. browse to a web server, ssh or telnet to a host etc.)

Rising star

Re: ASA5520 not comunicating between vlans

let me summaries why you can and why you cant.

 

1. your Network-Managment (GigabitEthernet0/0.100) and Chatterton-Net (interface GigabitEthernet0/0.10) and the  management (Management0/0) they all are at level 100. on top on this you have configured following commands

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

now if you ping from a pc in Network-Managment to Chatterton-Net or to management the ping will be sucessfull however, you to try to open a ASDM from these this will not work. as you only define certain subnet/ip addresses to get connected to ASDM which are,

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.20.100.0 255.255.255.0 Network-Managment

which mean you need to be in these ip address/es range (subnet) in order to open the ASDM.

 

also remember the ASA do a statefull inspection. what ever initate from level 100 with nat rules can go out. nothing can come in from outside unless you define a ACL rule.

 

 

 

please do not forget to rate. if i help you.

 

please do not forget to rate.