Cisco ASA Inter-Vlan Problems

simon.green · ‎03-05-2014

Hi All,

Hope Everyone is Well?

Hope somebody could help as im banging my head with this one:-

I have several Sub Interfaces for VLAN's Setup on my Firewall. I have these connected to a Switch, which inturn has the Switch Port set in Trunk Mode,

Switch Config Here:-

interface FastEthernet0/1

description ** Firewall Uplink - FA0/1 **

switchport trunk native vlan 101

switchport trunk allowed vlan 101-104,110

switchport mode trunk

If i connect my Laptop up and Set a IP of 10.1.1.100 i cant even ping the Firewall (10.1.1.1). Same on the other Subnets. I cant ping any default Gateways.

Strangely enough thought the Firewall can ping the switch on 10.1.1.21

From All Subnets there is no internet access either but i assume this is something to do with the above not working.

Many thanks in advance for any help

Cheers

Si

Jon Marshall · ‎03-05-2014

Simon

Not sure about why the others aren't working but for vlan 101 you have a subinterface on the ASA but that is the native vlan on the trunk.

A subinterface on the ASA expects the traffic to be tagged which it obviously won't be as the switch will send it untagged.

You can assign the vlan 101 IP address etc. to the physical interface and then have the other vlans on subinterfaces. On the physical interface the ASA will pass untagged traffic.

Or alternatively it may be just as easy to change the native vlan on the switch to be some other vlan ie. not any of the ones you are using on the ASA subinterfaces.

Jon

simon.green · ‎03-06-2014

Hi Jon,

Many Thanks for your Reply.

So i have left my Switches Port Config as is:-

interface FastEthernet0/1

description ** Firewall Uplink - FA0/1 **

switchport trunk native vlan 101

switchport trunk allowed vlan 101-104,110

switchport mode trunk

And modified my ASA config as you suggested above. New Config attached. However i still cannot ping anything from the switch.

If i plug my laptop direct into the Port on the Firewall i can ping 10.1.1.1 but none of the other Vlan IP's still

Cheers

Si

Jon Marshall · ‎03-06-2014

Si

Can you post the new config and also a "sh in trunk " from the switch please.

Jon

simon.green · ‎03-06-2014

Hi Jon,

Many thanks again for the reply.

New config is attached. Will have to get the switch output shortly when back on site:)

Cheers

Si

Jon Marshall · ‎03-06-2014

Si

Will have a look at the configuration but a quick question.

When you try to ping the subinterfaces are you reallocating the PC into the vlan for the subinterface ?

Jon

simon.green · ‎03-06-2014

Hi Jon,

Yes and No ...

So:

Port 4 on Switch is VLAN 101

Port 5 on Switch is VLAN 102

Port 6 on Switch is VLAN 103

Port 7 on Switch is VLAN 104

Port 8 on Switch is VLAN 110

Tried to Ping all default gateways with:

Address of 10.1.1.100 from Port 4 - No Joy.

Address of 10.1.2.100 from Port 5 - No Joy.

Address of 10.1.3.100 from Port 6 - No Joy.

Address of 10.1.4.100 from Port 7 - No Joy.

Address of 10.1.100.100 from Port 8 - No Joy.

So i emoved the switch all together and plugged my laptop into Port 1 of the Firewall.

Could Ping 10.1.1.1 with my Laptop IP set at 10.1.1.100. Rebooted the Firewall and now cant even ping 10.1.1.1 anymore.

Plug into the Management VLAN and pinged 192.168.1.1 - That works. Tried to ping the other Default Gateways of the VLAN's but that doesnt work.

Cheers

Si

Jon Marshall · ‎03-06-2014

Si

What model of ASA is this ?

When you connect the ASA to the switch do you see the main interface and the subinterfaces as up/up ?

What happens if you try to ping the laptop from the ASA (note if the laptop is running a firewall then allow ICMP or disable it temporarily).

Jon

simon.green · ‎03-06-2014

Hi Jon,

Its a ASA5510. Yup. See interfaces come up for Ethernet0/0 and all the sub insterfaces on the Firewall and on the Switch.

If i ping the Laptop from the firewall it fails. If i ping from the management interface to the LAptop it ping fine.

Cheers

Si

Jon Marshall · ‎03-06-2014

Si

Can't see anything wrong with the last configuration you posted.

If you do a "sh route" does the ASA see the subinterface networks ?

If so a few suggestions -

1) there is no reason you cannot pass untagged traffic on the main interface but perhaps try to remove the config from the e0/1 main interface including the nameif command, then create a subinterface for vlan 101 and change the native vlan on the trunk to an unused vlan so vlan 101 is tagged.

2) lets concentrate on one vlan so pick one of the subinterface vlans, set the switchport connected to the laptop in that vlan and set it's default gateway to the firewall.

And then try pinging

Just trying to rule out everything that might be stopping this working.

Jon

simon.green · ‎03-08-2014

Hi Jon,

Sorry for the delay in getting back to you. Ok ...

Sh Route shows:-

Gateway of last resort is not set

C    10.1.3.0 255.255.255.0 is directly connected, inside_cctv
C    10.1.2.0 255.255.255.0 is directly connected, inside_voip
C    10.1.1.0 255.255.255.0 is directly connected, inside_lan_management
C    10.1.4.0 255.255.255.0 is directly connected, inside_wireless
C    10.1.110.0 255.255.255.0 is directly connected, inside_clients
C    192.168.1.0 255.255.255.0 is directly connected, management

I have also modified my config here and there as i have been playin around. With my Laptop on the switch and the switch port set to the VLAN i can now on each VLAN ping the default gateway.

I still cannot ping gateways between VLANs not get any outside connectivity.

I have attached my New Config.

Many thanks again

Si