That is correct, I'm unable to access the IPS from the LAN subnet of 192.168.173.0/24.

The IPS is 192.168.173.221, default gateway is the core switch at 192.168.173.254.



Sent from Cisco Technical Support iPhone App

Hello,

Can you change the default-gateway to the ASA internal Ip address??

Regards,

I changed the default gateway on the IPS to the IP of the ASA (192.168.173.162), but still no connectivity. I have also verifiied the IPS ACL and that it does include the 192.168.173.0/24 subnet.

Hello,

Can you add :

same-security-traffic permit intra-interface

Also do you see any logs from the ASA?

Regards,

I already had "same-security-traffic permit intra-interface" and "same-security-traffic permit inter-interface" in the ASA, double checked to make sure. Turned on debug logging and then ran a continuous ping from a host on the LAN to 192.168.173.221 and checked the logs for any traffic going to/from 192.168.173.221 but not seeing anything in the debug logs.

Hello,

Can you share the topology you have?

Should be like this:

So managment traffic from inside to IPS never reaches the ASA!

Remember to rate all of the helpful posts, that is as important as a thanks ( if you need assistance on how to rate a post, let me know, I will be more than glad to help)

Your topology is correct. It's:

hosts --> 3750 stack--> ASA LAN interface

hosts --> 3750 stack--> ASA Management 0/0

Very straight forward. I had opened a TAC case to figure how to get this working and basically I just had to remove any IP from the Management 0/0 interface and then plug it into a switchport in the LAN VLAN. I had it working when it was on my desk, but for some reason it's not working now once in place at the datacenter. How can I find that MAC address of the IPS? I can then make sure the Mangement 0/0 interface is plugged into the correct VLAN and that a cable wasnt plugged into the wrong interface.

Hello,

Based on what you have said so far, looks like there something outside the ASA or IPS causing the issue ( Switch problem)

Please check the vlan and port assingment as now everything is properly.

On the IPS run a show interface command and you will get the MAC add.

Remember to rate all of the helpful posts, that is as important as a thanks ( if you need assistance on how to rate a post, let me know, I will be more than glad to help)

When I run "show interfaces" I only get statistical information, nothing L2:

Interface Statistics

   Total Packets Received = 0

   Total Bytes Received = 0

   Missed Packet Percentage = 0

MAC statistics from interface Management0/0

   Interface function = Command-control interface

   Description =

   Media Type = TX

   Default Vlan = 0

   Link Status = Up

   Link Speed = Auto_1000

   Link Duplex = Auto_Full

   Total Packets Received = 0

   Total Bytes Received = 0

   Total Multicast Packets Received = 0

   Total Receive Errors = 0

   Total Receive FIFO Overruns = 0

   Total Packets Transmitted = 171

   Total Bytes Transmitted = 7182

   Total Transmit Errors = 0

   Total Transmit FIFO Overruns = 0

MAC statistics from interface PortChannel0/0

   Interface function = Sensing interface

   Description = Backplane

   Media Type = backplane

   Default Vlan = 0

   InlineMode = Unpaired

   Pair Status = N/A

   Hardware Bypass Capable = No

   Hardware Bypass Paired = N/A

   Link Status = Up

   Admin Enabled Status = Enabled

   Link Speed = N/A

   Link Duplex = N/A

   Total Packets Received = 988315

   Total Bytes Received = 77088570

   Total Packets Transmitted = 988315

   Total Bytes Transmitted = 77088570

Believe I found the MAC. If I run "show module IPS" from the ASA I get a MAC address range.

I checked the 3750 stack for both of the IPS's in the A/S ASA setup and neither MAC is showing up, but the management interfaces are showing as up/up. Also, neither one of the Management 0/0 MAC's is showing up in the 3750's either.

Also tried a "sw-module module ips reload" but not joy. Will open a TAC case tomorrow.