Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
5
Helpful
3
Replies

ASA tO Router

benolyndav
Level 4
Level 4

‎05-13-2021 06:51 AM

Hi

Am i missing something simple here, attached is a topology where I have an ASA connected to a switch which connects to another switch and then to a Router, if i configure IP on Router physical Interface I can ping the ASA through the switches, if i configure a sub interface in same subnet as ASA Interface cant ping the ASA, ive tried also using vrf on Router with encapsulation that matches vlan on switches.

 

any pointers please

 

 

Preview file
6 KB
0 Helpful
3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

‎05-13-2021 07:10 AM

Hi there,

It sounds as if you must access type access switchports all the way between the ASA and router so the frames are traveling untagged.

If you want to use a sub-interface then the router must receive tagged frames.

 

What you need to do is configure the switchport between iosvl2-1 and the router as a trunk port, tagging whatever VLAN ID you are using on the switchport between the ASA and iosvl2-0

 

cheers,

Seb.

benolyndav
Level 4
Level 4
In response to Seb Rupik

‎05-13-2021 07:43 AM

Hi

Router

interface GigabitEthernet0/3.107
encapsulation dot1Q 107
ip vrf forwarding axley
ip address 10.102.104.1 255.255.255.0

Router#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
inserthostname_here
Gig 0/3 166 R S I Gig 0/3

--------------------------------------------------------------------------

Switch

interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
end

Port Vlans in spanning tree forwarding state and not pruned
Gi0/3 1,107

---------------------------------------------------------------

the next swith is trunk between these two switches allowing vlan 107

-------------------------------------------------------------------

ASA

ip address 10.102.104.4 255.255.255.0

same subnet as Router, but can only ping firewall if ip address is on physical interface of router

 

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni

‎05-14-2021 01:48 AM

can you confirm that the switchport which is connected to the ASA looks like:

int gix/x
  swhitchport mode access
  switchport access vlan 107
  no shut
!

Also on each switch can you show the output of sh spanning vlan 107

 

cheers,

Seb.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card