07-24-2006 05:38 AM - edited 02-21-2020 01:03 AM
Hello,
I currently have 2 ASA 5520s in an Active/Standby configuration. I have set up 2 VLANs on the ASA corresponding to port g0/0.
Config:
Int g0/0.1
vlan 10
nameif Outside66
ip address 66.38.xxx.xx 255.255.255.224
Int g0/0.2
vlan 20
nameif Outside64
ip address 64.187.xx.xxx 255.255.255.224
Now on my Dell 2724 Switch:
I have set Port 2 (The port connected to the ASA 5520) as Trunk to accept information from Vlan10 and Vlan20. I also set the PVID as 4065 which will drop all untagged packets (which shouldnt be a problem because any information comming in on this port should be tagged as 10 or 20 from the ASA). For some reason I cant ping the switch IP from the ASA or viceversa. I was just wondering if there was some special setting on the ASA that I need to set?? Or if anyone knows anything about the switch. I know this post would be a little more "cisco like" if we had a catlyst, but we dont so I decided to ask anyways.
Thanks,
Chris
07-24-2006 10:44 AM
Is the switch IP address a public address like one of the vlan subnets?
07-24-2006 11:47 AM
We need a little more information.
Is the switch ip assigned to one of the vlans configured on the asa. Does the ASA know how to get back to the switch if it is not vlan 10 or 20. Are you allowing icmp to the asa.
07-25-2006 05:13 AM
Hello,
Ok I have put the switch on the same subnet as the Outside66 interface. So its 66.38.xxx.xx 255.255.255.224.
Basically this is complete bare bones testing on our end but the real idea is that we have 2 100Mb Pipes comming into our office, but we want to leverage both pipes on 1 single physical interface because we have a Private (g0/1) / DMZ (g0/2) / FailOver Interface (g0/3).
So as I stated I set up those sub-ints on the ASA 5520. I attached a cable from that port (g0/0) to port 2 on the Switch (port 2 is set up to recieve VLAN information from VLANs 10 and 20. All untagged packets will be dropped (this means that No the ASA doesnt know how to get back to the switch if its not VLAN traffic). The ASA is currently not set up to accept ICMP packets, but thats not where the problem lies, I am literally just trying to ping the switch from the ASA going over the trunk line using the sub-interfaces. I am not sure why but the ping isnt currently working. Any suggestions?? (Maybe try putting my switch on a different subnet or something?) I am pretty lost. Thanks for the responses
Chris
07-25-2006 06:55 AM
Hey Chris,
Can you ping from the asa to the internet, like yahoo? How is your acl set up? From what you are saying I do not think it is an issue with the switch, but rather the asa is droping the icmp echo-reply packets. With the asa and pix, icmp works like two seperate connections. So even though you are originating the ping from the asa, an acl needs to be in place to allow the responce.
Have you seen anything in the logs, such as denies or no translation for type messages?
Let me know if this helps.
07-27-2006 10:57 AM
Hello,
No I cant ping anything on the outside either. I actually just set up super generic ACLs to let everything comming in or going from the destination network and it still didnt work. I even set up a Route Outside66 command but that didnt work. Because I am just in the testing phase I will provide you with the IPs and tell me what you think.
The ASA g0\0.1 Vlan 10 is 66.38.173.130 nameif Outside66 255.255.255.224
My Switch IP is 66.38.173.165 255.255.255.224
All I want to do is set it up so I can ping from the ASA to the switch IP or a host on that subnet that is plugged into that switch. I also Allowed all ICMP messages on the ASA and that didnt seem to help the pinging problem. Thanks again for the help, if you have any ideas or suggestion for the actual commands that I should enter it would be apreciated. I am not sure why it isnt workign for me. I have experience with the ASA just not with Sub-ints... starting to get frustrated to be honest.
Thanks,
Chris
08-02-2006 09:12 AM
Look like the ip address of VLAN10 ASA is not in the same subnet with the switch.
Can you change the ip address of the switch to 66.38.173.155?
in order to ping ASA from the switch, you must have an access list to allow icmp from 66.38.173.155
08-04-2006 05:37 AM
IPs have changed a bit so they are on the exact same subnet. I have also set up access lists to allow ICMP. Even without pinging I just want to be able to do a very generic test. Server with IIS hitting the "Inside" interface of my ASA 10.10.100.XX 255.255.255.0. The VLAN port g0/0 going to my switch, and another test server attached to the switch which will attempt to contact the IIS server.
Host-------Switch---------ASA---------IISHost
Thats what it looks like. I have done a bunch of ASA stuff but this is just completely thrown me for a turn. I have set up access-lists to allow any host trying to hit the IISHost test server, I have also allowed any ICMP traffic (for ping testing) for any of the interfaces. For testing purposes here are my IPs:
Host: 66.38.173.xxx 255.255.255.224
Switch: 66.38.173.xxx 255.255.255.224
ASA: g0/0.1 66.38.173.xxx 255.255.255.224
g0/0.2 64.187.36.xxx 255.255.255.224
g0/1 10.10.100.x 255.255.255.0
IISHost (attached to the ASA g0/1 port) 10.10.100.x 255.255.255.0
Thanks
Chris
08-15-2006 06:33 AM
Can you provide a current config? Minus the confidential stuff.
Thanks,
marcus
PS. Sorry for my delay, but was out on vaca.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide