11-18-2016 01:23 AM - edited 03-12-2019 01:33 AM
Hi Guys,
Im pretty new to Cisco and im setting up an ASA 5506-x for the first time.
I am not able to communicate between the sub interfaces on my ASA. Everything else is working fine.
I have 3 sub interfaces:
1.vlan 10 (10.0.10.1/24)
2.vlan 50 (10.0.50.1/24
3.vlan 99 (10.0.99.1/24)
I started like this;
1.wr
2.conf factory-default
Then i added my vlans and dhcp etc. Here is complete config:
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
terminal width 350
hostname fw01
enable password N7FecZuSHJlVZC2P encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 191.151.150.178 255.255.255.224
!
interface GigabitEthernet1/2
nameif cisco-mgmt
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2.10
vlan 10
nameif adm
security-level 100
ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet1/2.50
vlan 50
nameif guest
security-level 50
ip address 10.0.50.1 255.255.255.0
!
interface GigabitEthernet1/2.99
vlan 99
nameif mgmt
security-level 100
ip address 10.0.99.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu cisco-mgmt 1500
mtu mgmt 1500
mtu guest 1500
mtu adm 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 191.151.150.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 cisco-mgmt
http 10.0.99.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.99.0 255.255.255.0 mgmt
ssh timeout 5
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 cisco-mgmt
dhcpd enable cisco-mgmt
!
dhcpd address 10.0.99.100-10.0.99.200 mgmt
dhcpd dns 8.8.8.8 interface mgmt
dhcpd domain mgmt.local interface mgmt
dhcpd enable mgmt
!
dhcpd address 10.0.50.2-10.0.50.200 guest
dhcpd dns 8.8.8.8 interface guest
dhcpd domain guest.local interface guest
dhcpd enable guest
!
dhcpd address 10.0.10.12-10.0.10.200 adm
dhcpd dns 8.8.8.8 interface adm
dhcpd domain admin.local interface adm
dhcpd enable adm
!
dynamic-access-policy-record DfltAccessPolicy
username admin password ZtmwWxwfZJPPSOvr encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:63e65a7e865abf7d26504a4309f1fcbc
: end
Thanks!
Solved! Go to Solution.
11-18-2016 07:09 AM
Actually the answer is that no you should not be able to ping the other vlan interfaces of the ASA. As part of its basic security policy the ASA does not allow ping from a device connected in one interface to the other interfaces of the ASA.
HTH
Rick
11-18-2016 05:15 AM
I do not see an obvious issue in the config that you posted. When I saw several interfaces at the same security level I wondered if that might be an issue but I see that you have both of the same-security-level commands. So that is not the issue. I wondered if it might be a NAT issue. But you are only doing NAT for traffic going through the outside interface. So that is not an issue.
Are devices in these subinterfaces able to access the Internet?
Would you post the output of show arp?
HTH
Rick
11-18-2016 05:35 AM
Hi Rick,
Thanks for your answer.
I am able to reach the internet on the different sub interfaces yes.
Here is the output of show arp:
fw01(config)# show arp
mgmt 10.0.99.101 406c.8f51.edc2 387
mgmt 10.0.99.100 406c.8f51.edc2 8237
adm 10.0.10.12 406c.8f51.edc2 117
11-18-2016 05:41 AM
Thanks for the additional information. It does verify that the interfaces and subinterfaces are working and that the default gateway of the hosts does get traffic to the ASA. And it does confirm that the ASA sees multiple devices in your network. But I notice something very strange that all of the devices inside the network seem to have exactly the same mac address of 406c.8f51.edc2. So perhaps we need to understand better what is connected to the ASA and to these devices.
HTH
Rick
11-18-2016 05:47 AM
That Mac adress is my laptop. I have tried to connect to both adm and mgmt vlan
11-18-2016 06:12 AM
Thanks for the clarification. If your laptop is the only device that the ASA sees do I assume that it is the only device active in the network? Or are there other devices that do not show up in the arp table?
If there is only a single device connected then communication between subinterfaces is not going to happen (who would it communicate with). If there are other devices but they do not show up in the arp table then we need to figure out what is causing this.
HTH
Rick
11-18-2016 06:53 AM
Rick,
I agree on this, but shouldnt i be able to ping the other interfaces? From vlan 99 (10.0.99.1) i cannot ping vlan 10 (10.0.10.1) interface and vlan 50 (10.0.50.1) interface
11-18-2016 07:09 AM
Actually the answer is that no you should not be able to ping the other vlan interfaces of the ASA. As part of its basic security policy the ASA does not allow ping from a device connected in one interface to the other interfaces of the ASA.
HTH
Rick
11-18-2016 07:23 AM
Ah, i did not know this. Thanks for clearing this up Rick!
Just for curiosity, is it possible to enable this?
11-18-2016 07:59 AM
As far as I know this policy can not be changed. I do not know of any config option that can change this behavior.
HTH
Rick
11-18-2016 10:57 AM
Rick,
Thank you so much for your help!
11-18-2016 01:49 PM
You are quite welcome. I am glad that you got it figured out. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information. These forums are excellent places to learn about networking. I hope to see you continue to be active in the forums.
HTH
Rick
10-02-2020 07:02 AM
Hello Richard,
I really need your help on a certain configuration.
I tried deploying two FTD-2110 on my network.
After all configurations, workstation connected to vlan85 whose
gateway is patched on FTD_1 could not reach a workstation on vlan_10
whose gateway is patched on FTD_2.
Both FTD are connected directed via cable.
Kindly help if i'm missing something out.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide