Re: Issues with ASA and VLAN

greivin.viquez · ‎10-24-2007

Hello.

I am having communicaton issues between a router and ASA 7.2(2) with subinterfaces. A simple ping from ASA can not reach the router. Here is the config:

****** BEGIN ******

!

! ASA

!

int eth0

no shut

!

int eth0.40

vlan 40

nameif outside

ip address 192.168.1.1 255.255.255.0

no shut

!

! SWITCH

!

int f0/1

descrip **** ASA eth0

sw trunk encap dot1q

sw trunk native vlan 40

sw mode trunk

!

int f0/2

descrip *** Router E0

sw mode access

sw access vlan 40

!

! ROUTER

!

int f0/0

ip address 192.168.1.2

no shut

!

****** END ******

I enabled "debug arp". When I do a ping from ASA to R1, on ASA I can see the outgoing ARP packets. On R1 I can see the incoming ASA-ARP packets as well as the R1-ARP-REPLY BUT on SW I can only see the ASA-ARP-REQUEST packets to R1; never the R1-ARP-REPLY packets.

Scenario 1: If I disable the subinterface on the ASA and enable just ethernet0 without vlan, the ping works fine.

Scenario 2: If I do the following change, the ASA can reach R1:

!

int eth0.40

ip address 1.2.3.4 255.255.255.0

!

int eth0

nameif xxxx

ip address 192.168.1.1 255.255.255.0

!

Any advice is welcome.

greivin.viquez · ‎10-25-2007

TO DOCUMENT THIS CONVERSATION FOR OTHERS OUT THERE:

I found the problem.... AN ASA BUG. I red the bug id "CSCsj96350". The bug is for ASA5505 however I followed the workwaround... and it worked for my 5510. So If the switch port where the ASA is connected, has the same "trunk native vlan id" as the "vlan id" of the ASA, the ASA WILL NOT TAG them....having no communication on such network.

I tested on 7.2(2) but nothing else.

Regards,

JORGE RODRIGUEZ · ‎10-25-2007

Greivin, thanks for posting your own solution, it is great to share this info, I just happened to buy asa with code 7.2.2 but have not run into issues yet, I therefore rate..

Rgds

Jorge

Jorge Rodriguez