Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
0
Helpful
3
Replies

ASA not reachable in a bridged network

samosn488
Level 1
Level 1

‎06-27-2016 02:59 AM - edited ‎03-12-2019 12:57 AM

Im' using an ASA (5520) as firewall and ipsec gateway.

So far so good. For a migration scenario i need to brifge the local network (connected at the asa) to an other location.

Like many times before I'm using virtual machines with openvpn to do the job. The OpenVpn solution works fine an i can ping hosts connected to the internal network on and from both sides - except the internal ASA interface.

I.e. the internal network is 192.168.150.0/24 and the ASA interface in that network is 192.168.150.1.

Pining from i.e. 192.168.150.25 (on the same side the ASA resides) to 192.168.150.1 works. Starting openvpn  from the moment the TAP interface gets connected to its partner the ping fails (host unreachable). Other hosts on the same side can ping eaxch other without any problems.

The ASA doesnt's show me anything at the log, no visible blocking, nothing.

any ideas?

regards

Labels:
0 Helpful
3 Replies 3

James Leinweber
Level 4
Level 4

‎06-27-2016 09:25 AM

This is normal and by design; ASA won't let you ping any interface except the management interface in the downlink direction. It annoys everyone.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

samosn488
Level 1
Level 1
In response to James Leinweber

‎06-27-2016 10:53 AM

Hm - in the moment I stop the bridge I can ping the internal ASA interface.

I.e. ping 192.168.150.1 from 192.168.150.25 (and vice versa) relies, I start the bridge and it changes to "host unreachable".

Also the interface is not usable anymore for everything else. It is the default gateway for all systems in 192.168.150.0/24. The moment I start the bridge there is no internet access anymore from systems in using that gateway.

0 Helpful

samosn488
Level 1
Level 1
In response to samosn488

‎06-28-2016 12:46 PM

Solved the problem now!

Even the virtualized parts of the bridged net work could see each other thru the bridge without any vlan tagging, the only involved hardware part was the asa on one side.

Therefore the two switches have seen each other and on port (on tne side with the asa) has been shutdown by a vlan conflict.

After solving this everything works like a charm.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card