08-16-2011 09:01 AM - edited 03-11-2019 02:12 PM
Hi, All!
I have a Cisco ASA 5505 that I have configured. The outside interface is vlan 2 and the inside interface is vlan 1. Port 0 of the ASA is configured to be in vlan 2 and is connected to the ISP provided subnet. Port 1 is connected to my private LAN subnet. I have an additional router connected to Port 2 for guest connectivity. Port 2 is configured to be a member of VLAN 2 so that it can access the ISP provided subnet. From the device connected to port 2 I can ping the vlan 2 interface address of the ASA and from the ASA I can ping the Default gateway of the ISP provided subnet. For some reason the router on port 2 cannot ping the default gateway of the ISP provided subnet. If the vlan were working the same as a vlan in a switch, I would expect to be able to do this. Can anyone explain why it is not working or what I can do to get it working?
Thanks!
08-16-2011 09:08 AM
What is the license that you have on the ASA 5505, is it just base license?? You can chcek it by doint "show version". and also can you share the config from ASA??
-Varun
08-16-2011 09:32 AM
License is a Security+ license
Here's the config:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name v****.v****.l**
enable password ***** encrypted
passwd ***** encrypted
names
name 10.0.0.0 IntraNet1
name 172.30.52.0 IntraNet2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.25.40.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 98.103.56.215 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name vlrna.vlrad.loc
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object IntraNet1 255.0.0.0
network-object IntraNet2 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object IntraNet1 255.0.0.0
network-object IntraNet2 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
access-list outside_cryptomap extended permit ip 10.25.40.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 10.25.40.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list icmp-allow extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm location IntraNet1 255.0.0.0 inside
asdm location IntraNet2 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.25.40.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 98.103.56.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 10.32.128.0 255.255.255.0 inside
http Vallourec-IntraNet 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set T-Set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 12.33.192.93
crypto map outside_map0 1 set transform-set T-Set
crypto map outside_map0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh IntraNet1 255.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username administrator password ******** encrypted privilege 15
username administrator attributes
service-type admin
tunnel-group 12.33.192.93 type ipsec-l2l
tunnel-group 12.33.192.93 ipsec-attributes
pre-shared-key *******
isakmp keepalive disable
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c25208157555d6b43dac7797e1b0ea5c
: end
08-16-2011 11:07 AM
So as per your configuration are you not able to ping from the inside network to your default gateway on the outside???
-Varun
08-16-2011 02:28 PM
I was not able to ping the ISP gateway from another device on the outside VLAN. Turned out that the ISP's router was configured not to respond to ICMP. It is working now.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide