Solved: Cant Ping Sub-Interfaces (ASA 5520)

chrisbicm · ‎06-15-2006

Hello,

I recently set up an Active/Standby failover configuration with 2 sub-interfaces configured on my g0/0 interface (g0/0.1 and g0/0.2) for some reason I cant ping either of these from my testing server (when the server is on the correct network and subnet to test the interface)? I am not sure whats going on... I included a print out of my current interface and failover configuration. The testing server is connected to a Dell 2724 switch and so is the interfaces in question.

interface GigabitEthernet0/0

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/0.1

vlan 10

nameif Outside1

security-level 0

ip address 66.38.x.x 255.255.x.x standby 66.38.x.x

!

interface GigabitEthernet0/0.2

vlan 20

nameif Outside2

security-level 0

ip address 64.187.x.x 255.255.x.x standby 64.187.x.x

!

interface GigabitEthernet0/1

nameif DMZ

security-level 100

ip address 10.10.x.x 255.255.x.x standby 10.10.x.x

!

interface GigabitEthernet0/2

nameif Private

security-level 40

ip address 192.168.x.x 255.255.x.x standby 192.168.x.x

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

description STATE Failover Interface

no nameif

security-level 100

ip address 192.168.x.x 255.255.x.x

!

clock timezone EST -5

clock summer-time EDT recurring

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu Outside1 1500

mtu Outside2 1500

mtu DMZ 1500

mtu Private 1500

failover

failover lan unit primary

failover lan interface FoInt GigabitEthernet0/3

failover replication http

failover link FoInt GigabitEthernet0/3

failover interface ip FoInt 192.168.x.x 255.255.x.x standby 192.168.x.x

monitor-interface Outside1

monitor-interface Outside2

Thanks,

Chris

a.kiprawih · ‎06-16-2006

Hi Chris,

Your sub-interface config is fine, except you probably need to assign different security level between them unless if you already planned for it.

Normally, it's on the switch-side that need to be configured accordingly. The trunk link between firewall and switch uses DOT1Q encapsulation (IEEE). I am not sure whether Dell support it. Make sure the trunk allows whatever Vlan you assigned to Firewall sub-interfaces.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008054c515.html#wp1051819

To be able to ping the interface, make sure you allow firewall to allow/permit icmp to hit the interface using 'icmp' command, e.g "icmp permit any Outside2"

BTW, what's the gateway for your server? Is it ASA sub-interface (according to vlan) or VLAN IP on the switch?

http://www.cisco.com/en/US/partner/products/ps6120/products_command_reference_chapter09186a00805fba52.html#wp1615091

Other than that, you need to apply normal firewall ACL, static NAT and so on.

Rgds,

AK

View solution in original post

a.kiprawih · ‎06-16-2006

Hi Chris,

Your sub-interface config is fine, except you probably need to assign different security level between them unless if you already planned for it.

Normally, it's on the switch-side that need to be configured accordingly. The trunk link between firewall and switch uses DOT1Q encapsulation (IEEE). I am not sure whether Dell support it. Make sure the trunk allows whatever Vlan you assigned to Firewall sub-interfaces.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008054c515.html#wp1051819

To be able to ping the interface, make sure you allow firewall to allow/permit icmp to hit the interface using 'icmp' command, e.g "icmp permit any Outside2"

BTW, what's the gateway for your server? Is it ASA sub-interface (according to vlan) or VLAN IP on the switch?

http://www.cisco.com/en/US/partner/products/ps6120/products_command_reference_chapter09186a00805fba52.html#wp1615091

Other than that, you need to apply normal firewall ACL, static NAT and so on.

Rgds,

AK