Hi

 

Have noone ever made a "trunk" from a ASA5506 to a switch before and got it to work?

 

thanks for the suggestions but still no luck :(

I did try to switch out the old 2940 to a new 2960-cx switch to see if there where an IOS bug on the switch but the outcome where exactly the same.

 

The ASA config is the same no changes for previous post.

 

Can't ping on the same subnet 192.168.1.0/24 cross the "trunk" on the ASA

As you can see from the test below, the switch can see both the equipment on vlan 10 and 200 on the correct ports.

And the test computer connected to the switch 192.168.1.25 can ping its gateway 192.168.1.1 (ASA)

 

The ASA is DHCP server to the computer connected to directly to it 192.168.1.10

 

So $$ question is why cant the ASA find the way when it is gateway for computer 192.168.1.25 and DHCP server for computer 192.168.1.10 ARHHH....!

 

here are the resaults:

 

Switch#sh mac address-table            
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0019.55fb.f080    STATIC      CPU
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0cdd.dddd    STATIC      CPU
Total Mac Addresses for this criterion: 4
Switch#sh mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0019.55fb.f080    STATIC      CPU
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0cdd.dddd    STATIC      CPU
 200    0090.e85f.b57a    DYNAMIC     Fa0/2
 200    00a6.ca07.54f1    DYNAMIC     Gi0/1
  10    0023.2461.e54b    DYNAMIC     Fa0/1
  10    00a6.ca07.54f1    DYNAMIC     Gi0/1
Total Mac Addresses for this criterion: 8


--------------------------------------------------------------------
From PC direct connected to ASA

Vlan10 network
Pinging 192.168.1.25 with 32 bytes of data:
Reply from 192.168.1.10: Destination host unreachable.
Reply from 192.168.1.10: Destination host unreachable.
Reply from 192.168.1.10: Destination host unreachable.
Reply from 192.168.1.10: Destination host unreachable.

Ping statistics for 192.168.1.25:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

------------------------------------------------------------------
vlan200 network
Pinging 192.168.200.25 with 32 bytes of data:
Reply from 192.168.200.25: bytes=32 time=1ms TTL=255
Reply from 192.168.200.25: bytes=32 time=1ms TTL=255

-------------------------------------------------------------------

 

From PC direct connected to Switch

Vlan10 network
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
------------------------------------------------------------------

Vlan10 network
Pinging 192.168.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.10:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

----------------------------------------------------------------------
switc config

hostname Switch
!
!
ip subnet-zero
!
vtp domain DKCPH-TERM
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!         
vlan 10
 name inside
!
vlan 200
 name DMZ
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 200
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
 switchport mode trunk
 spanning-tree portfast trunk
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
ip default-gateway 192.168.1.1
ip http server
!
line con 0
line vty 5 15
!
!         
end

Hi

We are probably in a different timezone but is it possible to plan a troubleshooting session through a teamviewer or webex?

Hi Francesco

 

If you think that it is possible to make this setup, then yes it would be helpful

I am in time zone UTC +2 CEST, I have written you a private message.

 

of course if anyone have some suggestions you are more than welcome to continue to write this

 

Br Kevin

You need a webex to get this solved.

Sorry for my late answer. I replied to your PM. We need to plan it and for sure we're gonna do a webex or teamviewer.

Hello,

 

Try pinging from withing the security zone on the firewall.  

 

ping inside 192.168.1.200  

I have trouble in configuring ASA 5506x especially the outside interface, we had 1800 router with below configuration which I want transfer to ASA 5506x. Kindly help on how to do it….
1800 series router configurations
Password:
#show ru
#show run
#show running-config
Building configuration...

Current configuration : 1528 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$eCzE$W
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
ip name-server 55.56.53.18
ip name-server 50.203.118.19
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
!

license udi pid CISCO1841C/K9 sn FGL1602259C
!

interface FastEthernet0/0
description LAN
ip address 192.168.50.1 255.255.254.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet0/0.935
!
interface FastEthernet0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.920
encapsulation dot1Q 920
ip address 50.111.220.126 255.255.255.252
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!

ip nat inside source list 102 interface FastEthernet0/1.920 overload
ip route 0.0.0.0 0.0.0.0 50.111.220.125
!
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip 192.168.50.0 0.0.1.255 any
!
snmp-server community p@par!com2 RW
snmp-server community p@par!c0m2 RO
snmp-server ifindex persist
snmp-server enable traps tty
!
!
control-plane
!
banner motd ^CC NO UNAUTHORIZED LOGGING ^C
!
line con 0
password 7 13211214595C55782E292A32
logging synchronous
login
line aux 0
line vty 0 4
password 7 15360E0A567A7A762D3E3723
login
!
scheduler allocate 20000 1000
end

!
What I have done in 5506x
interface GigabitEthernet1/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.920
vlan 920
nameif outside
security-level 0
ip address 50.111.220.126 255.255.255.252

!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list 102 extended permit ip 192.168.50.0 255.255.255.0 any
access-list outside extended permit icmp any any echo
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

you're missing the route and the nat:

route outside 0.0.0.0 0.0.0.0 50.111.220.125
object network object_any
subnet 0.0.0.0 0.0.0.0
object network object_any
nat (inside,outside) dynamic interface

Let's try it and come with the result please.