I have the following Network Setup:
ASA 5505(Security Plus License) -->Cisco Switch WS-C2960-8TC-L -->PC
ASA has 8 interface VLANs, each one with an IP assigned. Cisco Switch has also 8 VLANS each one with an IP assigned.
My PC belongs to 10.10.1.0/24 network, and PC interface on SW is mode access VLAN 1. Link of ASA to Switch is trunk on both sides, allowing all VLANs.
I can successfully ping 10.10.2.2 (SW IP VLAN 2), but i cannot ping 10.10.2.1 (ASA IP VLAN 2).
In fact, i cannot ping any other FW IP except the one from Interface VLAN 1 (10.10.1.10).
All FW interfaces have the same security level (100), i have enabled same-security-traffic permit inter-interface, same-security-traffic permit intra-interface, inspect icmp and icmp permit any USERS (VLAN 2).
Could you please assist in order to resolve the issue? I have also attached the configuration from ASA and Switch.
looking into your config. your switch interface FastEthernet 0/8 trunk connected to ASA Ethernet0/1. your config looks ok can you make sure the cables are connected properly.
can you share share the output of the command
show interface fastethernet 08
show interface ethernet0/1
SW-1#show interfaces fastEthernet 0/8
FastEthernet0/8 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 1c17.d308.9188 (bia 1c17.d308.9188)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:04, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 577000 bits/sec, 62 packets/sec
5 minute output rate 28000 bits/sec, 31 packets/sec
106245 packets input, 119098143 bytes, 0 no buffer
Received 142 broadcasts (108 multicasts)
1 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 108 multicast, 0 pause input
0 input packets with dribble condition detected
64025 packets output, 6785852 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
FW# sh int eth0/1
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 0081.c466.d58b, MTU not set
IP address unassigned
66961 packets input, 7268173 bytes, 0 no buffer
Received 1655 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
6782 switch ingress policy drops
110885 packets output, 123778937 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
you said you can ping when your PC is VLAN 1 (10.10.1.10) to the default gateway of the ASA.
if that correct than you have to understand you can not ping from PC in VLAN1 and you want to
ping to VLAN-X on ASA interface X. this is by default.
if you try to ping the default gateway of ASA in its respective ip address range it will ping back/reply the pings