cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
499
Views
0
Helpful
3
Replies

management vlan switch 3850 does not work on transparent firewall

Hi, 

I have a switch 3850PoE connected to a 6807XL switch and a Firewall 5585. 

on the 6807XL, I have the outside interface vlan for the management devices, 

on the firewall, I have it in transparent mode, 

interface TenGigabitEthernet0/8.1102
description SVI-NETWORK-MANAGEMENT-OUT
nameif ADMIN-OUT
bridge-group 1
security-level 0
!
interface TenGigabitEthernet0/9.102
description SVI-NETWORK-MANAGEMENT-IN
nameif ADMIN-IN
bridge-group 1
security-level 100


interface BVI1
description ADMIN-BVI
ip address 10.13.2.4 255.255.255.0 standby 10.13.2.5
!

access list are in place ip any any on both sides too and applied correctly and a static route is in place too:

access-list ADMIN-OUT extended permit icmp any any
access-list ADMIN-OUT extended permit ip any any
access-list ADMIN-IN extended permit icmp any any
access-list ADMIN-IN extended permit ip any any

access-group ADMIN-OUT in interface ADMIN-OUT
access-group ADMIN-IN in interface ADMIN-IN


route ADMIN-OUT 0.0.0.0 0.0.0.0 10.13.2.1 1 (this ip is the one set up on the 6807XL acting as the interface vlan for this subnet)

now on the switch I have: 

vlan 102
Name MGNT
exit

interface Vlan102
description <<< MANAGEMENT VLAN >>>>
ip address 10.13.2.19 255.255.255.0
!

But, from the outside, I cannot reach the switch, 

HOwever, if I bypass the firewall, putting the switch under the management vlan 1102, which is the outside set up on the 6807XL, it works, I can reach the switch to manage it. 

does anyone have this type of issues or am Im missing something?

1 Accepted Solution

Accepted Solutions

Mohammad Alhyari
Cisco Employee
Cisco Employee

I Have built this topology from the info you have provided. I would troubleshoot it like this:

1- check arp at the device i start the ping from it to see if layer 2 connectivity is there and that the TFW is doing the bridging function.

2- Move to the ASA and do packet captures like this :

ingress interface captures

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

asp drop captures to detect dropped packets 

cap asp type asp-drop all

3- logs from the ASA:

loggin buffered debugging 

test and then show logging 

Moh,

View solution in original post

3 Replies 3

Mohammad Alhyari
Cisco Employee
Cisco Employee

I Have built this topology from the info you have provided. I would troubleshoot it like this:

1- check arp at the device i start the ping from it to see if layer 2 connectivity is there and that the TFW is doing the bridging function.

2- Move to the ASA and do packet captures like this :

ingress interface captures

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

asp drop captures to detect dropped packets 

cap asp type asp-drop all

3- logs from the ASA:

loggin buffered debugging 

test and then show logging 

Moh,

Thank you, 

Let me make the steps today and let you know the findings asap, thanks for your assistance, 

Regards

thank you Mohammad, 

I was able to determine the root cause based on your tshot steps, there was no layer 2 traffic, but because we had to certificate the patch cord that we were using since we used the capture and no traffic was passing by, 

thanks for your help, I had to post another question, may be you can help me too, 

regards

Review Cisco Networking for a $25 gift card