Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2081
Views
0
Helpful
2
Replies

ASA Routing from outside to sub-interfaces

Go to solution
MM64907
Level 1
Level 1

‎02-15-2021 01:56 PM - edited ‎02-25-2021 07:51 AM

I am adding a new ASA for a new  segment on the network. the current existing network (10.10.0.0/16) should be able to access this Test segment. Here is my scenario:

 

 switch(L2)---trunk----ASA----L3link----ExistingL3Switch(with 10.10.0.0/16)

 

on ASA I have the sub interface configured for g0/1.50 (for the new vlan 50) and trunked up to the L2 switch. the GW will be here on ASA 192.168.50.1

on the ASA g0/0 it is outside interface with 10.10.40.9/30 IP and on the L3 switch the 10.10.40.10/30 as the IP address. they can ping each other.

on L3 switch I have a static route to send the 192.168.50.0/24 to 10.10.40.9

on ASA outside 10.10.0.0/16 to 10.10.40.10

I dont need NAT or anything bc these are all private IPs. 

I still can't ping the SVI (192.168.50.1) nor ssh (I allowed ssh to it as well) from the L3 switch.

 

What am I missing? Plz help.

on the ASA I have the 10.10.0.0/16 to be routed to the outside interface and go to the L3S

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-15-2021 02:04 PM

@MM64907 Just to be clear you are pinging from a device connected to the outside interface of the ASA, attempting to ping the Gi0/0.50 SVI interface of the ASA? If so, that won't work, by design. You cannot be connected to one ASA interface (outside) and ping through the ASA to one the ASA's far interfaces (vlan50).

 

If you want to test connectivity to a device in vlan50, ping through the ASA to a device behind the ASA (not the ASA itself)....you'll also need to ensure you have the ACL permitting traffic.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎02-15-2021 02:04 PM

@MM64907 Just to be clear you are pinging from a device connected to the outside interface of the ASA, attempting to ping the Gi0/0.50 SVI interface of the ASA? If so, that won't work, by design. You cannot be connected to one ASA interface (outside) and ping through the ASA to one the ASA's far interfaces (vlan50).

 

If you want to test connectivity to a device in vlan50, ping through the ASA to a device behind the ASA (not the ASA itself)....you'll also need to ensure you have the ACL permitting traffic.

0 Helpful

Go to solution
MM64907
Level 1
Level 1
In response to Rob Ingram

‎02-25-2021 07:52 AM

thanks, the ACL was missing.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card