Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
1
Replies

ASA

davemonk
Level 1
Level 1

‎06-27-2011 06:35 PM - edited ‎02-21-2020 04:23 AM

I have a layered  network where the majority of servers have access to two networks  (through their own separate NICs).  Everything is connected to an  SF300-48 switch with four (including VLAN1) VLANs set up.  Everything is  sitting behind an ASA5520.

This entire network is in a remote  location and when I'm sitting on VLAN1, attached to a port which has  membership into all 4 VLANs, all I need to do is switch my IP addresses  and I'm able to access each individual VLAN with no issue.

My  question is that I'm setting up an IPSec tunnel from my office to this  remote network.  Setting up the tunnel is just fine and is certainly  working for anything that I put on VLAN1, but now I'm stuck at how to  access the individual VLANs 10, 20 and 30.  From research, I'm thinking  that this is a sub-interface question but I've not used them before.   The VLANs are set up on the SF300 and not from the ASA.

With no subinterfaces configured and with the Gi0/3 ("inside") interface of my ASA set up as 10.0.0.1, I can easily ping the SF300 switch (configured as 10.0.0.2) and a CSS11501 (as 10.0.0.3).  The connection between Gi0/3@5520 and e1@SF300 is a simple CAT6 cable and that port (Ethernet1) on the SF300, it's configured as a trunk port, VLAN1.

As soon as I reconfigure Gi0/3 and bring on some VLAN IDs, everything just stops being pingable.

This is how I've got my ASA configured:

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.1

vlan 1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet0/3.10

vlan 10

nameif VLAN10

security-level 100

ip address 10.0.10.254 255.255.255.0

!

interface GigabitEthernet0/3.20

vlan 20

nameif VLAN20

security-level 100

ip address 172.16.0.1 255.255.255.0

I've tried setting the SF300 up in both Layer 2 (default) and Layer 3 modes, but still no luck.

Any ideas???

Preview file
32 KB
0 Helpful
1 Reply 1

saxenanitesh8522
Level 4
Level 4

‎06-30-2011 10:23 AM

have you enable the command "

same-security-traffic permit intra-interface"

as all the interface are in the same security level. so for traffic to follow from
sub-interface you to other sub-interface with same security level you have to enable
this command.

Nitesh
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card