03-28-2021 05:25 PM
Hi everyone, yes you've read it correctly i can't ping sub-interfaces inside-to-inside.
My topology is -
LAN-->Switch-->ASA 5512-->ISP
Before i describe my problem, i'll say that everything is working the way it's supposed to but i would like to accomplish an additional task which i'm having trouble with and hoping to get some assistance..
I have multiple VLANs on the switch that correspond to the sub-interfaces on the ASA, i can ping/ssh to the switch and the ASA from the subnet that i'm connected to and that makes sense because that's the default behavior.
What I'm trying to accomplish is to be able to ping/ssh to a sub-interface on the ASA from a subnet that I'm not directly connected to, all the sub-interfaces have the same security level of 100.
I have attached my topology for reference..
I hope it makes sense, i can provide the config if needed and hopefully can come to a resolution..
Thanks in advance..
03-29-2021 12:00 AM
Hello,
post the full configs of both the switch and the ASA...
03-29-2021 10:37 AM
03-29-2021 11:24 AM
Hello,
when you say everything is working, do you mean that all users connected to any Vlan on the switch can connect to the Internet ?
03-29-2021 11:52 AM
yes that's correct, all users can connect to the internet regardless of the vlan assignment, i can also ping a device on a different vlan and access it, like a file share or RDP into a pc. I just can't ping the sub interfaces on the asa..
03-29-2021 01:19 PM
Hello,
I see what you are getting at. As far as I recall, a ping from one interface to another interface on the ASA is not possible. That is by design, and basically a security feature.
When you configure subinterfaces, these are treated as completely different interfaces, just like physical interfaces.
So when you send a ping from a host on a different Vlan, that ping would enter its respective Vlan interface on the ASA, and from there, would have to go to another (Vlan) interface on the same ASA. That, as stated, is not allowed, by design.
03-29-2021 04:13 PM
Ahh ok, so let me get your opinion on something else then, so currently if i need to ssh into the asa i have to check myself which VLAN i'm connected to and then ssh with that IP, in the bigger picture what i was trying to get at was to just have 1 vlan dedicated to management purposes (ssh, telnet, etc) and have access to that VLAN from any subnet, is that a possibility or no, I've seen that option work on a fortigate but not sure if it's doable on an ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide