Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
0
Helpful
3
Replies

ASA 5520: Sub-Ints / Testing / Trunking. *frustrated*

chrisbicm
Level 3
Level 3

‎07-31-2006 06:38 AM - edited ‎02-21-2020 01:04 AM

Hello,

I am currently trying to configure sub-interfaces on my ASA 5520. During my setup things seemed to go smoothly but once I hooked everything up there is no communication from one end to the other. Basically I am trying to access a webserve on the DMZ side from a computer on the Outside, but when I try my Dell 2724 doesnt seem to be able to access the website on the DMZ side from Outside. This is very basic general configuration that I have set up on the ASA so far.

I have also included a document with my complete setup. If anyone out there has suggestions, commands I should enter or anything at all... it would be much appreciated. I am just wondering which port I should tag eggress traffic and which I should untag it. I would assume that the port that the request is comming in on should Tag the traffic because it needs to head through the switch and through VLAN 10 to be routed to the DMZ network. I have tried many combinations of access-lists, static routes and other things and I am starting to get a bit frustrated. If anyone has some insight... it would be a life saver.

Int g0/0.1

Vlan 10

Nameif Outside66

Ip address 66.38.173.xx 255.255.255.224

Int g0/0.2

Vlan 20

Nameif Outside64

Ip address 64.187.33.xxx 255.255.255.224

Int g0/1

Nameif DMZ

Ip address 10.10.100.xx 255.255.255.0

static (DMZ,Outside66) 66.38.173.150 10.10.100.10 netmask 255.255.255.255 0 0

access-list OUT permit tcp any host 66.38.173.150 eq www

access-list DMZ permit tcp host 10.10.100.10 any eq www

access-list DMZ permit tcp any host 10.10.100.10 any eq www

global (Outside66) 1 66.38.173.132-66.38.173.140

access-group OUT in interface outside66

access-group DMZ in interface DMZ

Thanks a lot,

Chris

0 Helpful
3 Replies 3

chrisbicm
Level 3
Level 3

‎07-31-2006 06:39 AM

Here is my setup.

4013-TestSetup.vsd
0 Helpful

a.kiprawih
Level 11
Level 11
In response to chrisbicm

‎07-31-2006 07:05 AM

Hi Chris,

Try re-write the access-group OUT from "access-group OUT in interface outside66" to "access-group OUT in interface Outside66".

Also, permit ICMP@ping to ease troubleshooting (access-list OUT permit icmp any any) and to let you know that the DMZ server is reachable. This allows you to narrow down the troubleshooting scope. You can always remove the icmp later.

Rgds,

AK

0 Helpful

chrisbicm
Level 3
Level 3
In response to a.kiprawih

‎07-31-2006 07:50 AM

AK,

No luck on the change from outside66 to Outside66 unfortunatly. I did notice something strange. I attached the computer on the outside network to the port on the 2724, and set it up to Tag eggress traffic because the request would have to be tagged I assume for it to pass itself to Vlan10 on the ASA. Whenever I do this... I cant ping the switch from the server anymore, but if I unplug it from the tagged port and plug it into any random port with no Vlans assigned to it, I can ping just fine. I also tried Untagging that port and I still couldnt ping. Not sure what the problem is there.

Thanks,

Chris

(I am not sure if this will help anyone out to determine my actual situation... or if anyone has time to take look at the link for me but here is the link to the 2724 documentation. Its short and pretty straight forward https://support.dell.com/support/edocs/network/PC27xx/en/ug/system.htm#1115352)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card