Solved: ASA-V on CML not working with sub-interfaces

GB2452 · ‎02-03-2021

Dear All,

I'm trying to create an asa-v (using CML 2.1.2-b39) sub-interface to make able a host to configure it via ASDM, but despite the configuration is not working.

Please advise if I'm missing something.

Here the configuration of the asa-v / switch (end host is an alpine server using static IP address)

Am I missing something? Thanks in advance

ASA-V

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.12(2)

ciscoasa# show nameif
Interface Name Security
GigabitEthernet0/0.10 inside 100

ciscoasa(config)# show int ip bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/0.10 192.168.1.1 YES manual up up

interface GigabitEthernet0/0
no nameif
no security-level
no ip address

interface GigabitEthernet0/0.10
vlan 10
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

ciscoasa(config)# show run policy-map

policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect http
inspect icmp

sw interface against asa-v

interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk

sw interface against host

nterface GigabitEthernet0/1
switchport access vlan 10
switchport mode access

vlan config

s1#show vlan brief | i 10
10 VLAN0010 active Gi0/1

interface vlan 10 status

s1#show ip int brief
Vlan10 192.168.1.11 YES manual up up

ping from host to sw1

alpine-xfce:~$ ping 192.168.1.11
PING 192.168.1.11 (192.168.1.11): 56 data bytes
64 bytes from 192.168.1.11: seq=0 ttl=42 time=4.423 ms
64 bytes from 192.168.1.11: seq=1 ttl=42 time=4.922 ms
^C
--- 192.168.1.11 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.423/4.672/4.922 ms

ping from host to asa-v

alpine-xfce:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
^C
--- 192.168.1.1 ping statistics ---
17 packets transmitted, 0 packets received, 100% packet loss

balaji.bandi · ‎02-04-2021

inspect icmp - you have that should work - can you post show route from ASA

try below :

access-list inside_in extended permit any any
access-group inside_in in interface inside
icmp permit any inside

check the syntax - some time hard to type from mobile device and read also.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎02-03-2021

what is the PC IP address ? and gateway for the PC ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GB2452 · ‎02-03-2021

Dear Bajali Bandi,

The host ip address is 192.168.1.3

mask 255.255.255.0

gw 192.168.1.1

host is able to ping switch 192.168.1.11 (switch int vlan 10)

but it's not able to ping asa-v sub-intf and viceversa

balaji.bandi · ‎02-04-2021

PC check the FW (windows has default FW enabled)

From switch able to ping PC ?

what You see Logs when you Ping FW IP as Gateway ?

post fuill config of switch and FW.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GB2452 · ‎02-04-2021

attached full config

thanks for your kind support

balaji.bandi · ‎02-04-2021

i will review the config later - can you give below outcome :

PING From Switch to PC

PING From ASA to Switch

PING From ASA to PC

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GB2452 · ‎02-04-2021

PING From Switch to PC

S2#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/3 ms

PING From ASA to Switch

ciscoasa# ping 192.168.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

PING From ASA to PC

ciscoasa# ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)