cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2727
Views
4
Helpful
8
Replies
Davy Ad
Beginner

I cannot ping two ASA firewalls connected on the same swicth

Any help please?

I have two ASA firewalls connected to same layer 2 Switch and with different subnet on Inside interface .

                        ASA-1 ================>[ layer 2 Switch]<====================ASA-2

                                                                             ||

                                                                             ||

                                                                             ||

                                                                     (DHCP-ROUTER)

ASA- 1 :

Public IP address;  100.100.1. 2x /32

LAN ( Inside Interface) IP address; 10.10.41.1

route outside 0.0.0.0 0.0.0.0 100.100.1.1x.

route inside 10.10.42.0 255.255.255.0 10.10.10.2 ( DHCP-Router)

=================================================================

ASA-2:

Public IP address; 200.200.1,2x /32

LAN ( Inside Interface ) IP address ; 10.10.42. 1

route outside 0.0.0.0  0.0.0.0  200.200.1.1x

route inside 10.10.41.0 255.255.255.0 10.10.10.2 ( DHCP-Router)

================================================================

DHCP Router ;

ip dhcp pool ASA1_SUBNET

network 10.10.41.0 255.255.255.0

default-router 10.10.41.2

domain-name me.com

dns-server 10.10.41.10

ip dhcp pool ASA2_SUBNET

network 10.10.42.0 255.255.255.0

default-router 10.10.42.2

domain-name me.com

dns-server 10.10.41.10

ip route 0.0.0.0 0.0.0.0 10.10.41.1

ip route 10.10.42.0  255.255.255.0 10.10.42.1

=================================================

LAYER 2 SWITCH;

Int vlan 41

Ip address 10.10.41.0 255.255.255.0

no shut

Int vlan 42

Ip address 10.10.42.0 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.10.41.1

ip route 10.10.42.0  255.255.255.0 10.10.42.1

Any help please ?

DaK

8 REPLIES 8
Julio Carvajal
Advisor

Hello Davy,

What is the default gateway of the PC? What is the PC Address?

Can you ping ASA 2 from ASA 1 and backwards?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

I cannot ping ASA1 to ASA2 , also cannot ping ASA2 from Switch or Router.

My PC has ASA1 Inside IP address  as default gateway 

Regards,

DaK

you have enabled asa for respond to ping to interfaces from your networks?

regards

Hi Bro

Of course both the FW won't be able to PING each other because they are in different network address, even though both the FW's INSIDE interface are connected to the same switch. From your information above, the switch is able to configure SVIs. This means you can consider that switch as a L3.

To resolve this issue, you'll need to enable InterVLAN Routing in your Switch (Switch (config)# ip routing) and ensure that proper SVI's are configured in the L3 Switch, as shown below;

vlan 41,42

Int vlan 41

Ip address 10.10.41.10 255.255.255.0

no shut

Int vlan 42

Ip address 10.10.42.10 255.255.255.0

no shut

Lastly, you could add static routes in your FW respectively

FW1

route inside 10.10.42.0 255.255.255.0 10.10.41.10

FW2

route inside 10.10.41.0 255.255.255.0 10.10.42.10

If this still doesn't work, please paste both the FW show run config and switch config, and we will assist you. This is a small problem, don't worry it will be fixed in no time, bro!!!!

Warm regards,
Ramraj Sivagnanam Sivajanam

Hi davy,

                                                              Rtr     Rtr

                                                               |         |

                                                            ASA   ASA   

                                                               |       /

                                                           Switch ----> DHCP Rtr

                                                                |

                                                         Vlan 41 & 42

This would be your design right. As per my understanding you are not able to ping the ASA from one segment to the other from the LAN. Please correct me if my statement is wrong.

10.10.41.1 (ASA 1 Inside) - 10.10.42.1 (ASA 2 Inside).

Let me explain how we will make this communication.

First you should have the proper routes in ASA for getting this work and routing needs to be enabled in the switch as well to make the inter vlan communication.

Then ACL's should be there allow this to work.

Say vlan 41 is having ip address 10.10.41.5/24 & vlan 42 is having ip address 10.10.42.5/24.

Since you are pointing your gateway as ASA inside IP. The switch will send the packet directly to ASA and your ASA1 or 2 will not know where to route and packet is getting dropped.

So you need to have the route for making it pointed according. As ramraj said you need to have the static route in asa pointing inside with the respective switch vlan ip.

ASA 1 & 2 respectively.

route inside 10.10.41.0 255.255.255.0 10.10.41.5

route inside 10.10.42.0 255.255.255.0 10.10.42.5

route outside 0.0.0.0 0.0.0.0 100.100.1.1 (ASA1)

route outside 0.0.0.0 0.0.0.0 200.200.1.1 (ASA2).

ACL's to be allowing each vlan respectively in ASA inside interface binding ACL. also verify ispect icmp is enabled under service policy.

Thanks ,

It works and I realised that one port connected to switch for ASA-2 was in trunk mode , while the ASA-1 was access mode. I removed this and was able to ping both side.

Regards,

DaK

Sent from Cisco Technical Support iPhone App

Davy Ad
Beginner

Thanks

It works !

Sent from Cisco Technical Support iPhone App

Create
Recognize Your Peers
Content for Community-Ad