03-27-2017 05:42 AM - edited 03-12-2019 02:07 AM
Hey there,
we have a cisco asa 5506-x which has the following interfaces:
Interface 1/3
inside-lan
192.168.40.0/22
security 100
Interface 8.10
VLAN10
172.16.10.1
security 100
The Hardware Interface 8 is unconfigured but enabled and on this Port the Switch with the VLAN 10 is connected.
Now i want to get from my inside-lan into the VLAN10 - specifically from 192.168.41.141 to 172.16.10.187
Using the ASDM Packet Tracer everything is fine (check the attached picture), but i can't actually ping or SSH to 172.16.10.187 and from 172.16.10.187 i can't ping back to 192.168.41.141.
I even can't ping the machine behind 172.16.10.187 from the cisco asa.
Since the ASDM is telling me that everything is fine - which steps should i take next? ASDM is no help as it tells me stuff which isn't working...
Pinging and everything works fine if i connect my client to the Switch with the VLAN 10 so the Client with 172.16.10.187 isn't t fault...
03-27-2017 06:55 AM
I would take captures on the inside-lan and vlan10 interface to see what happens to the traffic when you ping. You should inbound and outbound on both interfaces when it works. Also, attach your complete config if you can.
03-27-2017 08:49 AM
I did the Packet Tracer with the other way around and it also worked but it seems that this works because of the Configuration which Marvin Rhoads told me.
About the Spanning Tree and interface 8 trunking, Interface 8 is unused - just enabled and i didn't saw something more to configure (i'm using the ASDM mostly).
Also here is the attached config:
vpn# show running-config
: Saved
:
: Serial Number: 
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)
!
hostname vpn
domain-name mentiq.com
enable password dVAmcd40HO.iUeYK encrypted
names
ip local pool VPN-IP-Pool 192.168.43.200-192.168.43.240 mask 255.255.252.0
!
interface GigabitEthernet1/1
 nameif 100Mbit
 security-level 0
 ip address 
!
interface GigabitEthernet1/2
 description LAN
 nameif 16MBit
 security-level 0
 ip address 
!
interface GigabitEthernet1/3
 description LAN
 nameif inside-lan
 security-level 100
 ip address 192.168.40.3 255.255.252.0
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8.10
 vlan 10
 nameif VLAN10
 security-level 100
 ip address 172.16.10.1 255.255.255.0
!
interface GigabitEthernet1/8.50
 vlan 50
 nameif VLAN50
 security-level 50
 ip address 172.16.50.1 255.255.255.0
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa971-lfbff-k8.SPA
ftp mode passive
dns domain-lookup 100Mbit
dns domain-lookup inside-lan
dns server-group DefaultDNS
 name-server 192.168.40.100 inside-lan
 name-server 192.168.40.150 inside-lan
 domain-name mentiq.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 212.144.124.226
 host 212.144.124.226
object network mentIQ
 range 192.168.40.0 192.168.43.255
object network 213.23.178.17
 host 213.23.178.17
object network cust4655-1.in.mailcontrol.com
 host 85.115.62.190
object network cust4655-2.in.mailcontrol.com
 host 85.115.54.190
object network 16Mbit
 host 213.23.178.18
object network mekur
 host 192.168.40.101
object service smtp
 service tcp source eq smtp
object service TelefonanlageBooster
 service tcp source eq 8802
object service ftp-data
 service tcp source eq ftp-data
object service ftp-control
 service tcp source eq ftp
object service https_nat
 service tcp source eq https
object service rdp_nat
 service tcp source eq 3389
object network www-ext
 host 212.144.124.226
object network www-int
 host 192.168.40.101
object network OWA
 host 192.168.40.101
object network owa
object network Internet-internal
 subnet 192.168.40.0 255.255.252.0
object network RDP-Merkur
 host 192.168.40.101
object service ssh
 service tcp source eq ssh
object service OWA-HTTPS
 service tcp source eq https
object network OWA-SERVER
 host 192.168.40.101
object network TK-Anlage
 host 192.168.40.103
object network FTP-Server
 host 192.168.40.110
object network tickets.mentiq.com-private
 host 192.168.40.106
object network NETWORK_OBJ_192.168.43.192_26
 subnet 192.168.43.192 255.255.255.192
object network NETWORK_OBJ_192.168.40.0_22
 subnet 192.168.40.0 255.255.252.0
object network sonicwall
 host 10.0.1.2
object service sonicwall-vpn
 service tcp source eq 500
object network VLAN50NW
 subnet 172.16.50.0 255.255.255.0
object network VLAN10NW
 subnet 172.16.10.0 255.255.255.0
object network INSIDENW
 subnet 192.168.40.0 255.255.252.0
object-group network mailcontrol
 network-object object cust4655-1.in.mailcontrol.com
 network-object object cust4655-2.in.mailcontrol.com
access-list OUTSIDE-IN remark Standard Regel um Traffic nach auen zu erlauben
access-list OUTSIDE-IN extended permit ip any any
access-list OUTSIDE-IN remark Traffic der nicht erlaubt ist, wird geloggt
access-list OUTSIDE-IN extended deny ip any any log
access-list 16MBit_access_in extended permit object sonicwall-vpn any4 object sonicwall
access-list 16MBit_access_in extended permit tcp any4 object tickets.mentiq.com-private eq https
access-list 16MBit_access_in extended permit tcp any object FTP-Server eq ftp-data
access-list 16MBit_access_in extended permit tcp any object FTP-Server eq ftp
access-list 16MBit_access_in extended permit object TelefonanlageBooster any object TK-Anlage
access-list 16MBit_access_in remark Standard Regel um Traffic nach auen zu erlauben
access-list 16MBit_access_in extended permit object smtp object-group mailcontrol object OWA-SERVER
access-list 16MBit_access_in remark Standard Regel um Traffic nach auen zu erlauben
access-list 16MBit_access_in extended permit tcp any object OWA-SERVER eq https
access-list 16MBit_access_in extended deny ip any any log
access-list 100Mbit_access_in extended permit tcp any object FTP-Server eq ftp-data inactive
access-list 100Mbit_access_in extended permit tcp any object FTP-Server eq ftp inactive
access-list 100Mbit_access_in extended permit object TelefonanlageBooster any object TK-Anlage inactive
access-list 100Mbit_access_in remark Standard Regel um Traffic nach auen zu erlauben
access-list 100Mbit_access_in extended permit object smtp object-group mailcontrol object OWA-SERVER inactive
access-list 100Mbit_access_in extended permit tcp any object OWA-SERVER eq https inactive
access-list 100Mbit_access_in extended permit icmp any any
access-list 100Mbit_access_in extended deny ip any any log
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list split-acl-mentiq standard permit 192.168.40.0 255.255.252.0
access-list VLAN10_access_in extended permit icmp any any log
access-list VLAN10_access_in extended permit object ssh any any log
access-list VLAN10_access_in extended deny ip any any log
access-list inside-lan extended permit icmp any any time-exceeded
access-list inside-lan extended permit icmp any any
access-list inbount extended permit icmp any any unreachable
access-list VLAN10 extended permit icmp any any time-exceeded
access-list VLAN10 extended permit icmp any any unreachable
access-list VLAN10 extended permit icmp any any
access-list inside-lan_access_in extended permit tcp 192.168.40.0 255.255.252.0 any eq ssh
access-list inside-lan_access_in extended permit tcp 192.168.40.0 255.255.252.0 any eq https
access-list inside-lan_access_in extended permit udp 192.168.40.0 255.255.252.0 any eq snmp
access-list inside-lan_access_in extended permit tcp 192.168.40.0 255.255.252.0 any eq www
access-list inside-lan_access_in extended permit udp 192.168.40.0 255.255.252.0 any eq 443
access-list inside-lan_access_in extended permit icmp any any
access-list inside-lan_access_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu 100Mbit 1500
mtu 16MBit 1500
mtu inside-lan 1500
mtu VLAN50 1500
mtu VLAN10 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-771.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside-lan,16MBit) source static FTP-Server interface service ftp-control ftp-control
nat (inside-lan,16MBit) source static FTP-Server interface service ftp-data ftp-data
nat (inside-lan,16MBit) source static TK-Anlage interface service TelefonanlageBooster TelefonanlageBooster
nat (inside-lan,16MBit) source static OWA-SERVER interface service smtp smtp
nat (inside-lan,16MBit) source static OWA-SERVER interface service OWA-HTTPS OWA-HTTPS
nat (inside-lan,100Mbit) source static NETWORK_OBJ_192.168.40.0_22 NETWORK_OBJ_192.168.40.0_22 destination static NETWORK_OBJ_192.168.43.192_26 NETWORK_OBJ_192.168.43.192_26 no-proxy-arp route-lookup
nat (inside-lan,VLAN10) source static INSIDENW INSIDENW destination static VLAN10NW VLAN10NW
!
object network Internet-internal
 nat (inside-lan,100Mbit) dynamic interface
object network tickets.mentiq.com-private
 nat (inside-lan,16MBit) static 213.23.178.19
!
nat (inside-lan,16MBit) after-auto source dynamic Internet-internal interface
access-group 100Mbit_access_in in interface 100Mbit
access-group 16MBit_access_in in interface 16MBit
access-group inside-lan_access_in in interface inside-lan
access-group VLAN10_access_in in interface VLAN10
route 16MBit 0.0.0.0 0.0.0.0 213.23.178.17 1
route 100Mbit 0.0.0.0 0.0.0.0 212.144.124.225 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server mentIQ-LDAP protocol ldap
aaa-server mentIQ-LDAP (inside-lan) host 192.168.40.100
 ldap-base-dn DC=mentiq,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ciscoasa,OU=admins,OU=User,OU=MENTIQ.COM,DC=mentiq,DC=com
 server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.40.0 255.255.252.0 inside-lan
snmp-server host-group inside-lan mentIQ poll community *****
snmp-server location og
snmp-server contact ol kd
snmp-server community *****
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map 100Mbit_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map 100Mbit_map interface 100Mbit
crypto map 16MBit_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map 16MBit_map interface 16MBit
crypto ca trustpoint selfsigned
 enrollment self
 subject-name CN=ciscoasa
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 email support@mentiq.com
 subject-name CN=vpn.mentiq.com,OU=IT,O=mentIQ GmbH,C=DE,L=Dornach
 ip-address 212.144.124.226
 keypair vpn.mentiq.com
 crl configure
crypto ca trustpoint vpn.mentiq.com
 enrollment terminal
 email support@mentiq.com
 subject-name CN=vpn.mentiq.com,OU=IT,O=mentIQ GmbH,C=DE,St=Bayern,L=Dornach,EA=support@mentiq.com
 keypair vpn.mentiq.com
 crl configure
crypto ca trustpoint Thawte-Intermediate
 enrollment terminal
 crl configure
crypto ca trustpoint Thawte-Intermediate1
 enrollment terminal
 crl configure
crypto ca trustpool policy
crypto ca certificate chain selfsigned
 certificate 657dbf58
 308201e5 3082014e a0030201 02020465 7dbf5830 0d06092a 864886f7 0d010105
 05003037 3111300f 06035504 03130863 6973636f 61736131 22302006 092a8648
 86f70d01 09021613 63697363 6f617361 2e6d656e 7469712e 636f6d30 1e170d31
 37303331 34303934 3833355a 170d3237 30333132 30393438 33355a30 37311130
 0f060355 04031308 63697363 6f617361 31223020 06092a86 4886f70d 01090216
 13636973 636f6173 612e6d65 6e746971 2e636f6d 30819f30 0d06092a 864886f7
 0d010101 05000381 8d003081 89028181 00c0e0a7 dad557f8 0018bd2b 578ee08b
 72765821 f79f9973 295fab3d 593d0a4b ee33691b bd407439 cc2e9cf4 53ce8725
 735bf144 cc1e6714 6449d0eb 53309996 ea77b96d 8ff75acf 939c8d6c 849c7ff9
 67bb245b 957d236e baf06a57 4cd5f095 f51a7fe7 b306ebb8 c9b8c84e 7341a6e5
 d43b7f31 a8f13e9f b9e538b6 8b669c28 59020301 0001300d 06092a86 4886f70d
 01010505 00038181 0077cb3b f299a2b5 90370311 474de6c7 797d70a0 700dcfee
 41bb0b5f f493ac1d 17db2de8 3ed5250b 47a2d5dc 7cb29bc1 519f6d6a c726f76c
 8b47a0ce 217232e4 601a6687 f7971b60 d9f6d602 f35f05da 4393b00c 7500e80d
 f123c221 4957b1ba 92c303c5 f3a02f19 c5826905 b7775b13 c58dce8c e366303f
 a4b17799 b7f0fa7f 8e
 quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate ca 600197b746a7eab4b49ad64b2ff790fb
 3082042a 30820312 a0030201 02021060 0197b746 a7eab4b4 9ad64b2f f790fb30
 0d06092a 864886f7 0d01010b 05003081 ae310b30 09060355 04061302 55533115
 30130603 55040a13 0c746861 7774652c 20496e63 2e312830 26060355 040b131f
 43657274 69666963 6174696f 6e205365 72766963 65732044 69766973 696f6e31
 38303606 0355040b 132f2863 29203230 30382074 68617774 652c2049 6e632e20
 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c 79312430 22060355
 0403131b 74686177 74652050 72696d61 72792052 6f6f7420 4341202d 20473330
 1e170d30 38303430 32303030 3030305a 170d3337 31323031 32333539 35395a30
 81ae310b 30090603 55040613 02555331 15301306 0355040a 130c7468 61777465
 2c20496e 632e3128 30260603 55040b13 1f436572 74696669 63617469 6f6e2053
 65727669 63657320 44697669 73696f6e 31383036 06035504 0b132f28 63292032
 30303820 74686177 74652c20 496e632e 202d2046 6f722061 7574686f 72697a65
 64207573 65206f6e 6c793124 30220603 55040313 1b746861 77746520 5072696d
 61727920 526f6f74 20434120 2d204733 30820122 300d0609 2a864886 f70d0101
 01050003 82010f00 3082010a 02820101 00b2bf27 2cfbdbd8 5bdd787b 1b9e7766
 81cb3ebc 7caef3a6 279a34a3 68317138 3362e4f3 716679b1 a965a3a5 8bd58f60
 2d3f42cc aa6b32c0 23cb2c41 dde4dffc 619ce273 b2229511 43185fc4 b61f576c
 0a055822 c8364c3a 7ca5d1cf 86af88a7 44021374 71730a42 5902f81b 146b42df
 6f5fba6b 82a29d5b e74abd1e 0172db4b 74e83b7f 7f7d1f04 b4269be0 b45aac47
 3d55b8d7 b0265228 01314066 d8d924bd f62ad8ec 21495c9b f67ae97f 55357e96
 6b8d9393 27cb92bb eaac40c0 9fc2f880 cf5df45a dcce7486 a63e6c0b 53cabd92
 ce190672 e60c5c38 69c704d6 bc6cce5b f6f7689c dc251548 88a1e9a9 f8989ce0
 f3d53128 61116c67 968d3999 cbc24524 39020301 0001a342 3040300f 0603551d
 130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403 02010630 1d060355
 1d0e0416 0414ad6c aa94609c ede4fffa 3e0a742b 6303f7b6 59bf300d 06092a86
 4886f70d 01010b05 00038201 01001a40 d89565ac 099289c6 39f410e5 a90e6653
 5d78defa 2491bbe7 4451dfc6 16340aef 6a4451ea 2b078a03 7ac3eb3f 0a2c5216
 a02b43b9 25903f70 a933256d 451a283b 27cfaac3 29421bdf 3b4cc033 345b4188
 bf6b2b65 af28efb2 f5c3aa66 ce7b56ee b7c8cb67 c1c99c1a 18b8c4c3 4903f160
 0e50cd46 c5f37779 f7b615e0 38dbc72f 28a00c3f 772674d9 2512da31 da1a1edc
 29419122 3c69a7bb 02f2b65c 270389f4 06ea9be4 7282e3a1 09c1e900 19d33ed4
 706bba71 a6aa58ae f4bbe96c b6ef87cc 9bbbff39 e65661d3 0aa7c45c 4c607b05
 77267abf d807522c 62f77063 d939bc6f 1cc279dc 7629afce c52c6404 5e88366e
 31d4401a 6234363f 3501aeac 63a0
 quit
crypto ca certificate chain vpn.mentiq.com
 certificate 56ef3e67be8252d8a4bbc56c97bfede1
 30820673 3082055b a0030201 02021056 ef3e67be 8252d8a4 bbc56c97 bfede130
 0d06092a 864886f7 0d01010b 05003065 310b3009 06035504 06130255 53311530
 13060355 040a130c 74686177 74652c20 496e632e 311d301b 06035504 0b131444
 6f6d6169 6e205661 6c696461 74656420 53534c31 20301e06 03550403 13177468
 61777465 20445620 53534c20 53484132 35362043 41301e17 0d313730 33323330
 30303030 305a170d 32303033 32323233 35393539 5a301931 17301506 03550403
 0c0e7670 6e2e6d65 6e746971 2e636f6d 30820122 300d0609 2a864886 f70d0101
 01050003 82010f00 3082010a 02820101 00b86c9f ce35ebca 9958754f d022feb7
 2b7cc1a6 a2f1abf0 0cdd327c 921afd12 420ed4ef 4c1d6561 325c7ee1 4f4702ac
 152f163c 1e8accbd 447f57c9 16ecc824 5649d803 cf7b416b a6be426a ee9ed11b
 829f10af a2405b6a 1b2f4d30 befd16e3 e57315b8 c56464e4 ab9f9784 b24b3a0e
 da42e7a3 ee7a2f08 6940b81a c1f7e9f6 9eca4101 3e2d1918 9e487934 b6ef7685
 6b284c8d 69dfd9a5 87199ebc e4b0eb1b 867fcf59 99e7e7cc 6c5d0f35 dd73a008
 d28610bf 99664baa cf684612 fecb4998 adb5f40e 80c3a517 9aac627b 1d73ccd8
 dcf78509 34fc383b e0c93f3e d382e890 640b35e3 8615103c 8994a046 bd1c9f67
 9d3e02b1 c293464b 6b904883 49a71fa3 b1020301 0001a382 03693082 03653019
 0603551d 11041230 10820e76 706e2e6d 656e7469 712e636f 6d300906 03551d13
 04023000 302b0603 551d1f04 24302230 20a01ea0 1c861a68 7474703a 2f2f746d
 2e73796d 63622e63 6f6d2f74 6d2e6372 6c306e06 03551d20 04673065 30630606
 67810c01 02013059 30260608 2b060105 05070201 161a6874 7470733a 2f2f7777
 772e7468 61777465 2e636f6d 2f637073 302f0608 2b060105 05070202 30230c21
 68747470 733a2f2f 7777772e 74686177 74652e63 6f6d2f72 65706f73 69746f72
 79301f06 03551d23 04183016 80147d29 312fc11e 6eae3105 6ab3eb1c cda9ddae
 809a300e 0603551d 0f0101ff 04040302 05a0301d 0603551d 25041630 1406082b
 06010505 07030106 082b0601 05050703 02305706 082b0601 05050701 01044b30
 49301f06 082b0601 05050730 01861368 7474703a 2f2f746d 2e73796d 63642e63
 6f6d3026 06082b06 01050507 3002861a 68747470 3a2f2f74 6d2e7379 6d63622e
 636f6d2f 746d2e63 72743082 01f5060a 2b060104 01d67902 04020482 01e50482
 01e101df 007600dd eb1d2b7a 0d4fa620 8b81ad81 68707e2e 8e9d01d5 5c888d3d
 11c4cdb6 ecbecc00 00015afa 73374c00 00040300 47304502 2100c243 f27fc9c6
 d137f644 2be12d07 6c1414cd dcffe20d 2d3c8c55 88faf972 c58e0220 08149108
 ef2ddf7b 789ab452 bb0e1041 ecdfc90d 359f894c a15fd20f df477a61 007600a4
 b90990b4 18581487 bb13a2cc 67700a3c 359804f9 1bdfb8e3 77cd0ec8 0ddc1000
 00015afa 73377800 00040300 47304502 2049cf01 20e5cef6 fbbcccf7 dc3df222
 9aa13ae1 a576bf35 a4eb352d f4244af4 14022100 87010b73 04175767 ceb2429f
 e930f071 6741d315 04e07b00 bd28989f 18ef0afd 007600ee 4bbdb775 ce60bae1
 42691fab e19e66a3 0f7e5fb0 72d88300 c47b897a a8fdcb00 00015afa 73394100
 00040300 47304502 2100c5f7 a07ac438 9a24b40a 0c3f3a08 fabaa544 959c1253
 b4f270d7 e6aa7765 d8ab0220 3f4b6192 9d21535d 0a1d1bbb 5cab5a15 5f5a251b
 0927d389 81e05086 dfc554d5 007500bc 78e1dfc5 f63c6846 49334da1 0fa15f09
 79692009 c081b4f3 f6917f3e d9b8a500 00015afa 73383500 00040300 46304402
 201b0461 f9a2beb4 b3c789dc b4bc337e 1ccb6da2 5034837f f5db3994 daf8205d
 a5022071 ebc4240d 838efc74 ce31107d 07aa7070 cc3c26ec 0a677602 627254e7
 3a476330 0d06092a 864886f7 0d01010b 05000382 0101009f ab059e5d 153af0a5
 0af6bee6 cb3f53cf bce7d1be 896e8f80 82620ccd 9c600475 6cddf3fd c0ca7a2b
 2bbe2e11 4e268523 f5de2feb f04fdb8e da77a280 f5050d17 98dff27c d266b672
 6542722b aa099e65 cbafda66 52716c5a 1b4defe4 f6c80d84 b1a6b4f0 4fe723e8
 e476668b 1088c06d 6b035a0c 5d6fd570 20185110 1494f555 e0286bd8 ae454c7a
 7caeb95a 80c974e0 036e5b3b 489b1bca d836b4ca c65c6c8f 2abdcccd 1ab82db0
 694864a7 2a5b3309 8550fd8c 57f2be73 b716c8b4 006d19ba 4a74c905 512aa90c
 d08fee81 00837958 d3669163 60231219 0a5fef12 e876a7a2 97af666b 3bf4dac5
 bd192e7c 6c8147e4 51240473 f9821d4e 3f1fa8e5 44cd66
 quit
crypto ca certificate chain Thawte-Intermediate
 certificate ca 7610128a17b682bb3a1f9d1a9a35c092
 3082048f 30820377 a0030201 02021076 10128a17 b682bb3a 1f9d1a9a 35c09230
 0d06092a 864886f7 0d010105 05003081 a9310b30 09060355 04061302 55533115
 30130603 55040a13 0c746861 7774652c 20496e63 2e312830 26060355 040b131f
 43657274 69666963 6174696f 6e205365 72766963 65732044 69766973 696f6e31
 38303606 0355040b 132f2863 29203230 30362074 68617774 652c2049 6e632e20
 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c 79311f30 1d060355
 04031316 74686177 74652050 72696d61 72792052 6f6f7420 4341301e 170d3130
 30323138 30303030 30305a17 0d323030 32313732 33353935 395a305e 310b3009
 06035504 06130255 53311530 13060355 040a130c 54686177 74652c20 496e632e
 311d301b 06035504 0b131444 6f6d6169 6e205661 6c696461 74656420 53534c31
 19301706 03550403 13105468 61777465 20445620 53534c20 43413082 0122300d
 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100cb 98c9363f
 d29cd816 07d44963 f983b0e8 022dcc5c 5a7497a6 13ef1313 de057ca7 e6ca0023
 da39f9ef 13cf52c5 af9ae3ca bef382d9 8b3daae1 ccae8850 66a32dec 61147549
 ab0e24f1 ac445b0b 28a23320 761e0660 6a670571 8bba6662 167ab36d 0dc7d094
 40c68c3d 1e920c62 340d4489 d5f789fe 29ed188f f69b2b08 f76aabd8 48975af4
 9fed0c75 5222f7d5 5e84009f c04a0d31 774c64d0 12e60f3a f0a1c0d5 5c1de75f
 2dc2f7d6 3618d995 6e444ec9 58144db6 8ebbcdde 621efa5b b5bd182b 98acac93
 3f505af5 140ba2cf b6f39e4f 5acd5ac3 3623da1a afb04dd6 4a22038f 430219bd
 eaacddc4 7a353214 f1722e08 55400cf4 074141af 38378429 42b25502 03010001
 a381fc30 81f93032 06082b06 01050507 01010426 30243022 06082b06 01050507
 30018616 68747470 3a2f2f6f 6373702e 74686177 74652e63 6f6d3012 0603551d
 130101ff 04083006 0101ff02 01003034 0603551d 1f042d30 2b3029a0 27a02586
 23687474 703a2f2f 63726c2e 74686177 74652e63 6f6d2f54 68617774 65504341
 2e63726c 300e0603 551d0f01 01ff0404 03020106 30290603 551d1104 223020a4
 1e301c31 1a301806 03550403 13115665 72695369 676e4d50 4b492d32 2d313130
 1d060355 1d0e0416 0414ab44 e45dec83 c7d9c085 9ff7e1c6 9790b08c 3f98301f
 0603551d 23041830 1680147b 5b45cfaf cecb7afd 31921a6a b6f346eb 57485030
 0d06092a 864886f7 0d010105 05000382 01010004 bafbacbb fc4b5411 a32d88b3
 3cbd006d 8a1ab68d c4c183f8 c7532ac1 326e3a81 a1547dda 1a3f3a45 4f36e742
 b00a4285 97a0acfb e587a783 4fe8b1b7 9b58656e 26800b92 4d4755b9 61165165
 e92bf168 d958b803 81d1b766 1cd3bcc5 a67b5f3e c5384676 e775b4a0 0c4bcea2
 c2a9c1cc 36737bfb b92424a0 5ea7f6fa bb0c2843 9e1df04e f03fd824 b021dc6d
 2deebf5a 3bfa889c 746caf21 dd92ecc3 15ef9475 2646d6a6 3fbf6648 aa1defdd
 27e6b751 89387d13 840c40fc d0b5f1e0 dbf94f2f 401cb48e 472261b8 4c96def0
 5f117e4f 11d9ec50 47220ec5 1de26449 e7686345 3a8ad971 f45ef16e b7144d3e
 6f141edc 52febcdf 0cbd293f 76fb115f 686815
 quit
crypto ca certificate chain Thawte-Intermediate1
 certificate ca 3e23345aed2c0a517b26ded4801d10aa
 308204dc 308203c4 a0030201 0202103e 23345aed 2c0a517b 26ded480 1d10aa30
 0d06092a 864886f7 0d01010b 05003081 ae310b30 09060355 04061302 55533115
 30130603 55040a13 0c746861 7774652c 20496e63 2e312830 26060355 040b131f
 43657274 69666963 6174696f 6e205365 72766963 65732044 69766973 696f6e31
 38303606 0355040b 132f2863 29203230 30382074 68617774 652c2049 6e632e20
 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c 79312430 22060355
 0403131b 74686177 74652050 72696d61 72792052 6f6f7420 4341202d 20473330
 1e170d31 34303631 30303030 3030305a 170d3234 30363039 32333539 35395a30
 65310b30 09060355 04061302 55533115 30130603 55040a13 0c746861 7774652c
 20496e63 2e311d30 1b060355 040b1314 446f6d61 696e2056 616c6964 61746564
 2053534c 3120301e 06035504 03131774 68617774 65204456 2053534c 20534841
 32353620 43413082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082
 010a0282 010100b3 ac0d7fad bb134d94 5f67426a d08971a9 ed740493 24c84d56
 a1f09196 84d9846a cf5221e3 1ab1544c e6c69e9e 4b38a996 541df5b3 ed9204d0
 6e54906e 2fe97d98 b48a2d12 a3b44247 1d7f5f40 e1fc7f91 a601dc55 a450782a
 633f847e 2cc82b21 b6c60e5e bcb8b1d4 1b98b3c6 f8e1e828 ed32441b cb7ff7e4
 b111ebc6 08b05bee a8c2ec46 aa8f29df b9b7a403 a0357a58 3f8b2947 c1d222fa
 2cc6c76c cdd3f758 329394d1 6fa92a9c 0f0a2892 ab140ab6 dfed407a 640754ce
 ea759732 b996a075 c9773102 74af5477 4f99a281 4b7959b8 923ff907 ea427457
 2e35ec55 8afc613c 3e577192 3babe4c1 e1172c64 360084b5 7c1a7db0 41337c23
 f64e775a 2cc14b02 03010001 a382013c 30820138 302e0608 2b060105 05070101
 04223020 301e0608 2b060105 05073001 86126874 74703a2f 2f742e73 796d6364
 2e636f6d 30120603 551d1301 01ff0408 30060101 ff020100 30410603 551d2004
 3a303830 36060a60 86480186 f8450107 36302830 2606082b 06010505 07020116
 1a687474 70733a2f 2f777777 2e746861 7774652e 636f6d2f 63707330 34060355
 1d1f042d 302b3029 a027a025 86236874 74703a2f 2f742e73 796d6362 2e636f6d
 2f546861 77746550 43412d47 332e6372 6c300e06 03551d0f 0101ff04 04030201
 06302906 03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e
 74656350 4b492d31 2d363935 301d0603 551d0e04 1604147d 29312fc1 1e6eae31
 056ab3eb 1ccda9dd ae809a30 1f060355 1d230418 30168014 ad6caa94 609cede4
 fffa3e0a 742b6303 f7b659bf 300d0609 2a864886 f70d0101 0b050003 82010100
 36ffa2f1 1c7eb951 7b94d35a 7b4825d3 37a2822a 2d5f381e 8767ecc9 31abd792
 33b8bd35 cab18070 04827c88 cc372e16 746e9340 63ca8d7b ff0728e6 f933abf0
 618d3dca 83c550d8 bd69391f aebcb7ee 15c58d04 06203328 0499c59c 11f5010f
 475ed889 99a5cec2 80fe46fa efb61ba8 91b283b3 e2570d1a e496d5bc f7bd6d03
 f8627eeb f84209fe 0964a4c9 5cb8d239 0b79029e 15391dc0 d9cd1c5f 68768df3
 1e2dfabf a749a20d 97f596c2 e96cd4cd 470b8b8a 018bdbfa cf92752e de3ea773
 b5fe0351 a742c3c7 426ba96f bef620e1 8ebf9f09 8ee508e8 9293773e 49449c7f
 e9799dff 4bafe038 57340d5f 11321292 a9618881 a51ef8a0 f0455a86 71208585
 quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable 100Mbit client-services port 443
crypto ikev2 enable 16MBit client-services port 443
crypto ikev2 remote-access trustpoint vpn.mentiq.com
crypto ikev1 enable 100Mbit
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 10
ssh stricthostkeycheck
ssh 192.168.40.0 255.255.252.0 inside-lan
ssh timeout 10
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside-lan
dhcpd auto_config 100Mbit
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point vpn.mentiq.com 100Mbit
ssl trust-point vpn.mentiq.com 16MBit
ssl trust-point vpn.mentiq.com inside-lan
ssl trust-point vpn.mentiq.com VLAN50
ssl trust-point vpn.mentiq.com VLAN10
webvpn
 enable 100Mbit
 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.4.01054-webdeploy-k9.pkg 2
 anyconnect profiles mentIQ-100Mbit_client_profile disk0:/mentIQ-100Mbit_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
 disable
 error-recovery disable
group-policy CB-GP internal
group-policy CB-GP attributes
 dns-server value 192.168.40.100 192.168.40.150
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-acl-mentiq
 split-dns value mentiq.com
 split-tunnel-all-dns enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_mentIQ-100Mbit internal
group-policy GroupPolicy_mentIQ-100Mbit attributes
 wins-server none
 dns-server value 192.168.40.100 192.168.40.150
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-acl-mentiq
 default-domain value mentiq.com
 webvpn
 anyconnect profiles value mentIQ-100Mbit_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username admin password DSfRb7TlfKsvNPhd encrypted privilege 15
tunnel-group mentIQ-100Mbit type remote-access
tunnel-group mentIQ-100Mbit general-attributes
 address-pool VPN-IP-Pool
 authentication-server-group mentIQ-LDAP
 default-group-policy GroupPolicy_mentIQ-100Mbit
tunnel-group mentIQ-100Mbit webvpn-attributes
 group-alias mentIQ-100Mbit enable
tunnel-group CB type remote-access
tunnel-group CB general-attributes
 address-pool VPN-IP-Pool
 authentication-server-group mentIQ-LDAP
 default-group-policy CB-GP
tunnel-group CB ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 no tcp-inspection
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp
 inspect ip-options
 class class-default
 set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:76b30aa01ee919a6f53e5b1bf789824e
: end
03-27-2017 07:10 AM
I assume you've added "inspect icmp" to your default class-map since packet-tracer checks the inspect options.
Is the switch port that's connected to interface 8 trunking?
Is the spanning tree instance used by VLAN 10 forwarding out that switch port?
03-27-2017 08:47 AM
Yeah i found that somewhere in the Internet... seems like it would be better do delete this stuff.
config of the asa will be attached under the second post.
03-27-2017 07:36 PM
The config you posted does not have "inspect icmp" under "class inspection_default".
Also, I was asking about the trunking and STP status on the SWITCH port attached to ASA interface 8.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide