01-07-2019 03:04 PM - edited 02-21-2020 08:38 AM
Hi,
I have an ASA5520 and have cofigure multiple VLANs but i wish for it to comunicated between 2 of the (10 and 100) i have configured intra interface and also the nat rules to comunicate between each other but yet it still will not talk accross VLAN 10 and 100.
I have attached the configs, i have an ASA5520, a 887va atcing as a dhcp server on dhcp relay from the ASA and a 3750 switch
Solved! Go to Solution.
01-09-2019 02:43 AM
let me summaries why you can and why you cant.
1. your Network-Managment (GigabitEthernet0/0.100) and Chatterton-Net (interface GigabitEthernet0/0.10) and the management (Management0/0) they all are at level 100. on top on this you have configured following commands
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
now if you ping from a pc in Network-Managment to Chatterton-Net or to management the ping will be sucessfull however, you to try to open a ASDM from these this will not work. as you only define certain subnet/ip addresses to get connected to ASDM which are,
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.20.100.0 255.255.255.0 Network-Managment
which mean you need to be in these ip address/es range (subnet) in order to open the ASDM.
also remember the ASA do a statefull inspection. what ever initate from level 100 with nat rules can go out. nothing can come in from outside unless you define a ACL rule.
please do not forget to rate. if i help you.
01-07-2019 08:06 PM
01-08-2019 12:18 AM
Mohammed al Baqari is right. And put in that way.
!
interface GigabitEthernet0/0.100
description management-only
vlan 100
nameif Network-Managment
security-level 100
ip address 10.20.100.1 255.255.255.0
!
can you config if you can ping 10.20.100.4 from the firewall cli?
I also understand that firewall is connected to a switch port 1/0/48.
01-08-2019 01:41 AM
Thanks guys for the help I will give that a try tonight
yes the firewall is connected to 1/0/48 and the dhcp is on 1/0/47
I will still be able to access the firewall by the ASDM on 10.20.100.1?
01-08-2019 02:26 AM
yes thats correct you would be able to connect to ASDM
I double check you have the config
http 10.20.100.0 255.255.255.0 Network-Managment
!
so once you applied the new config which are
interface GigabitEthernet0/0.100
description management-only
vlan 100
nameif Network-Managment
security-level 100
ip address 10.20.100.1 255.255.255.0
!
01-08-2019 11:50 AM
That worked and i can ping the DHCP server 10.20.100.2 and the switch 10.20.100.4 but i cant ping the asa on 10.20.100.1
any ideas?
01-08-2019 11:51 AM
ok let me see you config you posted earlier.
01-08-2019 11:54 AM - edited 01-08-2019 11:59 AM
from switch when you to ASA do in this order
ping 10.20.100.1 source vlan 100
also please confirm if you can access the https://10.20.100.1
01-08-2019 12:31 PM
i can ping 10.20.100.1 from the ASA but i can't ping it from a pc connected to vlan 10
i cant access the web page either from a pc on vlan 10, its fine if i move the pc to vlan 100
01-08-2019 12:47 PM
i cant access the web page either from a pc on vlan 10, its fine if i move the pc to vlan 100
what web page you trying to open and its not working? are you try to open a page 10.20.100.1 from vlan 10. this wont work as we do not allow in our rule.
can you google from vlan 10?
i can ping 10.20.100.1 from the ASA but i can't ping it from a pc connected to vlan 10
do a ping test from 10.20.100.x to 10.20.100.1
(or)
go to switch cli and give command ping 10.20.100.1 source vlan 100
01-09-2019 02:01 AM
I am trying to get onto the web page for the ASA and it will not let me. I also can get to the ASA via the ASDM on from vlan 100.
I can get onto it by using 10.20.10.1 which is fine and can live with it just cant see why I cant do it when I go to 10.20.100.1
If I put the PC on vlan 100 then I can access the firewall by 10.20.100.1.
I don not get any internet on vlan 100 but that's fine I don't want that to access the internet
01-09-2019 02:15 AM
By design you cannot connect to the ASA on an interface other than the one you entered on.
Pings via the ASA will only work if you have enabled icmp inspection. Generally speaking it is better to use a connection-oriented protocol like tcp to test connectivity (i.e. browse to a web server, ssh or telnet to a host etc.)
01-09-2019 02:43 AM
let me summaries why you can and why you cant.
1. your Network-Managment (GigabitEthernet0/0.100) and Chatterton-Net (interface GigabitEthernet0/0.10) and the management (Management0/0) they all are at level 100. on top on this you have configured following commands
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
now if you ping from a pc in Network-Managment to Chatterton-Net or to management the ping will be sucessfull however, you to try to open a ASDM from these this will not work. as you only define certain subnet/ip addresses to get connected to ASDM which are,
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.20.100.0 255.255.255.0 Network-Managment
which mean you need to be in these ip address/es range (subnet) in order to open the ASDM.
also remember the ASA do a statefull inspection. what ever initate from level 100 with nat rules can go out. nothing can come in from outside unless you define a ACL rule.
please do not forget to rate. if i help you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide