Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
2
Replies

Cisco ASA VLAN Routing

tpennington
Level 1
Level 1

‎09-18-2023 07:45 PM

I'm trying to setup communication between a few interfaces on a ASA 5508-X and can't seem to get ping to work.  Below is my configuration.  I have a laptop directly connected to "interface GigabitEthernet1/3" with a static IP of 192.168.20.3

I can ping my own subnet just fine, just not the other 3 subnets.  When I try Packet Tracer, I get "no route to host", so I obviously have something wrong.

I basically wiped this test ASA to defaults to play around with this.

 

: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.16(4)
!
hostname ciscoasa
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
nameif Inside
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet1/2.200
vlan 200
nameif Inside-VLAN
security-level 99
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif BugNet
security-level 99
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet1/3.300
vlan 300
nameif BugNet-VLAN
security-level 99
ip address 192.168.210.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-16-4-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list Inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.210.0 255.255.255.0
access-list Inside-VLAN_access_in extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Inside-VLAN_access_in extended permit ip 192.168.200.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside-VLAN_access_in extended permit ip 192.168.200.0 255.255.255.0 192.168.210.0 255.255.255.0
access-list BugNet_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BugNet_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list BugNet_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.210.0 255.255.255.0
access-list BugNet-VLAN_access_in extended permit ip 192.168.210.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BugNet-VLAN_access_in extended permit ip 192.168.210.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list BugNet-VLAN_access_in extended permit ip 192.168.210.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list BugNet extended permit icmp any any echo
access-list BugNet extended permit icmp any any echo-reply
access-list BugNet extended permit icmp any any
access-list BugNet-VLAN extended permit icmp any any echo
access-list BugNet-VLAN extended permit icmp any any echo-reply
access-list BugNet-VLAN extended permit ip any any
access-list Inside-VLAN extended permit icmp any any echo
access-list Inside-VLAN extended permit icmp any any echo-reply
access-list Inside-VLAN extended permit ip any any
pager lines 24
mtu Inside 1500
mtu Inside-VLAN 1500
mtu BugNet 1500
mtu BugNet-VLAN 1500
no failover
no failover wait-disable
no monitor-interface Inside-VLAN
no monitor-interface BugNet-VLAN
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
icmp permit any BugNet
icmp permit any Inside-VLAN
icmp permit any BugNet-VLAN
asdm image disk0:/asdm-7191.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group Inside_access_in in interface Inside
access-group BugNet_access_in in interface BugNet
access-group Inside-VLAN_access_in in interface Inside-VLAN
access-group BugNet-VLAN_access_in in interface BugNet-VLAN
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 Inside
http 192.168.20.0 255.255.255.0 BugNet
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 192.168.1.0 255.255.255.0 Inside
ssh 192.168.20.0 255.255.255.0 BugNet
console timeout 0

dhcpd address 192.168.20.10-192.168.20.20 BugNet
dhcpd dns 192.168.20.1 interface BugNet
dhcpd enable BugNet
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.11.201.10 source Inside prefer
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect snmp
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ebf74ba8ea6698d8fb49ad571c5ef822
: end
asdm image disk0:/asdm-7191.bin
no asdm history enable

0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎09-19-2023 02:41 AM

Did you check if the firewalls interfaces are actually in up/up state? no host to route in this case could be potentially caused by the fact that the interfaces on the firewall are not up.

0 Helpful

tpennington
Level 1
Level 1
In response to Aref Alsouqi

‎09-19-2023 05:15 AM

Yes, the interface are up and active.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card