Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
4
Replies

Problem with VLAN traffic on ASA 5505

fdouble08
Level 1
Level 1

‎08-16-2011 09:01 AM - edited ‎03-11-2019 02:12 PM

Hi, All!

     I have a Cisco ASA 5505 that I have configured.  The outside interface is vlan 2 and the inside interface is vlan 1.  Port 0 of the ASA is configured to be in vlan 2 and is connected to the ISP provided subnet.  Port 1 is connected to my private LAN subnet.  I have an additional router connected to Port 2 for guest connectivity.  Port 2 is configured to be a member of VLAN 2 so that it can access the ISP provided subnet.  From the device connected to port 2 I can ping the vlan 2 interface address of the ASA and from the ASA I can ping the Default gateway of the ISP provided subnet.  For some reason the router on port 2 cannot ping the default gateway of the ISP provided subnet.  If the vlan were working the same as a vlan in a switch, I would expect to be able to do this.  Can anyone explain why it is not working or what I can do to get it working?

Thanks!

Labels:
0 Helpful
4 Replies 4

varrao
Level 10
Level 10

‎08-16-2011 09:08 AM

What is  the license that you have on the ASA 5505, is it just base license?? You can chcek it by doint "show version". and also can you share the config from ASA??

-Varun

Thanks,
Varun Rao
0 Helpful

fdouble08
Level 1
Level 1
In response to varrao

‎08-16-2011 09:32 AM

License is a Security+ license

Here's the config:

ASA Version 8.2(2)
!
hostname ciscoasa
domain-name v****.v****.l**
enable password ***** encrypted
passwd ***** encrypted
names
name 10.0.0.0 IntraNet1
name 172.30.52.0 IntraNet2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.25.40.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 98.103.56.215 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name vlrna.vlrad.loc
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object IntraNet1 255.0.0.0
network-object IntraNet2 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object IntraNet1 255.0.0.0
network-object IntraNet2 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
access-list outside_cryptomap extended permit ip 10.25.40.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 10.25.40.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list icmp-allow extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm location IntraNet1 255.0.0.0 inside
asdm location IntraNet2 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.25.40.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 98.103.56.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 10.32.128.0 255.255.255.0 inside
http Vallourec-IntraNet 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set T-Set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 12.33.192.93
crypto map outside_map0 1 set transform-set T-Set
crypto map outside_map0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh IntraNet1 255.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username administrator password ******** encrypted privilege 15
username administrator attributes
service-type admin
tunnel-group 12.33.192.93 type ipsec-l2l
tunnel-group 12.33.192.93 ipsec-attributes
pre-shared-key *******
isakmp keepalive disable
!
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c25208157555d6b43dac7797e1b0ea5c
: end

0 Helpful

varrao
Level 10
Level 10
In response to fdouble08

‎08-16-2011 11:07 AM

So as per your configuration are you not able to ping from the inside network to your default gateway on the outside???

-Varun

Thanks,
Varun Rao
0 Helpful

fdouble08
Level 1
Level 1
In response to varrao

‎08-16-2011 02:28 PM

I was not able to ping the ISP gateway from another device on the outside VLAN.  Turned out that the ISP's router was configured not to respond to ICMP.  It is working now.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card