cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
0
Helpful
8
Replies

ASA 5520 Sub Ints --> Dell 2724 Switch

chrisbicm
Level 1
Level 1

Hello,

I currently have 2 ASA 5520s in an Active/Standby configuration. I have set up 2 VLANs on the ASA corresponding to port g0/0.

Config:

Int g0/0.1

vlan 10

nameif Outside66

ip address 66.38.xxx.xx 255.255.255.224

Int g0/0.2

vlan 20

nameif Outside64

ip address 64.187.xx.xxx 255.255.255.224

Now on my Dell 2724 Switch:

I have set Port 2 (The port connected to the ASA 5520) as Trunk to accept information from Vlan10 and Vlan20. I also set the PVID as 4065 which will drop all untagged packets (which shouldnt be a problem because any information comming in on this port should be tagged as 10 or 20 from the ASA). For some reason I cant ping the switch IP from the ASA or viceversa. I was just wondering if there was some special setting on the ASA that I need to set?? Or if anyone knows anything about the switch. I know this post would be a little more "cisco like" if we had a catlyst, but we dont so I decided to ask anyways.

Thanks,

Chris

8 Replies 8

mmorris11
Level 4
Level 4

Is the switch IP address a public address like one of the vlan subnets?

mgaysek
Level 1
Level 1

We need a little more information.

Is the switch ip assigned to one of the vlans configured on the asa. Does the ASA know how to get back to the switch if it is not vlan 10 or 20. Are you allowing icmp to the asa.

Hello,

Ok I have put the switch on the same subnet as the Outside66 interface. So its 66.38.xxx.xx 255.255.255.224.

Basically this is complete bare bones testing on our end but the real idea is that we have 2 100Mb Pipes comming into our office, but we want to leverage both pipes on 1 single physical interface because we have a Private (g0/1) / DMZ (g0/2) / FailOver Interface (g0/3).

So as I stated I set up those sub-ints on the ASA 5520. I attached a cable from that port (g0/0) to port 2 on the Switch (port 2 is set up to recieve VLAN information from VLANs 10 and 20. All untagged packets will be dropped (this means that No the ASA doesnt know how to get back to the switch if its not VLAN traffic). The ASA is currently not set up to accept ICMP packets, but thats not where the problem lies, I am literally just trying to ping the switch from the ASA going over the trunk line using the sub-interfaces. I am not sure why but the ping isnt currently working. Any suggestions?? (Maybe try putting my switch on a different subnet or something?) I am pretty lost. Thanks for the responses

Chris

Hey Chris,

Can you ping from the asa to the internet, like yahoo? How is your acl set up? From what you are saying I do not think it is an issue with the switch, but rather the asa is droping the icmp echo-reply packets. With the asa and pix, icmp works like two seperate connections. So even though you are originating the ping from the asa, an acl needs to be in place to allow the responce.

Have you seen anything in the logs, such as denies or no translation for type messages?

Let me know if this helps.

Hello,

No I cant ping anything on the outside either. I actually just set up super generic ACLs to let everything comming in or going from the destination network and it still didnt work. I even set up a Route Outside66 command but that didnt work. Because I am just in the testing phase I will provide you with the IPs and tell me what you think.

The ASA g0\0.1 Vlan 10 is 66.38.173.130 nameif Outside66 255.255.255.224

My Switch IP is 66.38.173.165 255.255.255.224

All I want to do is set it up so I can ping from the ASA to the switch IP or a host on that subnet that is plugged into that switch. I also Allowed all ICMP messages on the ASA and that didnt seem to help the pinging problem. Thanks again for the help, if you have any ideas or suggestion for the actual commands that I should enter it would be apreciated. I am not sure why it isnt workign for me. I have experience with the ASA just not with Sub-ints... starting to get frustrated to be honest.

Thanks,

Chris

Look like the ip address of VLAN10 ASA is not in the same subnet with the switch.

Can you change the ip address of the switch to 66.38.173.155?

in order to ping ASA from the switch, you must have an access list to allow icmp from 66.38.173.155

IPs have changed a bit so they are on the exact same subnet. I have also set up access lists to allow ICMP. Even without pinging I just want to be able to do a very generic test. Server with IIS hitting the "Inside" interface of my ASA 10.10.100.XX 255.255.255.0. The VLAN port g0/0 going to my switch, and another test server attached to the switch which will attempt to contact the IIS server.

Host-------Switch---------ASA---------IISHost

Thats what it looks like. I have done a bunch of ASA stuff but this is just completely thrown me for a turn. I have set up access-lists to allow any host trying to hit the IISHost test server, I have also allowed any ICMP traffic (for ping testing) for any of the interfaces. For testing purposes here are my IPs:

Host: 66.38.173.xxx 255.255.255.224

Switch: 66.38.173.xxx 255.255.255.224

ASA: g0/0.1 66.38.173.xxx 255.255.255.224

g0/0.2 64.187.36.xxx 255.255.255.224

g0/1 10.10.100.x 255.255.255.0

IISHost (attached to the ASA g0/1 port) 10.10.100.x 255.255.255.0

Thanks

Chris

Can you provide a current config? Minus the confidential stuff.

Thanks,

marcus

PS. Sorry for my delay, but was out on vaca.

Review Cisco Networking for a $25 gift card