06-09-2010 10:38 AM - edited 03-11-2019 10:57 AM
Hi folks,
If you could please advise me on this problem urgently, I'd be extremely grateful. I am trying to get an ASA5510 to work in multiple context transparent mode, and I keep coming up against the following issue.
I have one logical network, 10.1.11.0/24 divided into two parts by the firewall. Pinging from the firewall, when I first configure the inside interface, I can ping hosts on the inside network. However when I also configure the outside interface, I can no longer ping the hosts on the inside although I can ping hosts on the outside.
Here are some highlights from my very simple configuration. First of all the system context:
ASA Version 8.2(1) <system>
firewall transparent
!
interface Ethernet0/1
description Trunk to sw1 gi0/22
!
interface Ethernet0/1.21
vlan 21
!
interface Ethernet0/2
description Backhaul
!
admin-context backhaul
context backhaul
allocate-interface Ethernet0/1.21
allocate-interface Ethernet0/2
config-url disk0:/backhaul.cfg
And now the backhaul context:
firewall transparent
hostname backhaul
!
interface Ethernet0/1.21
nameif inside
security-level 100
!
interface Ethernet0/2
nameif outside
security-level 0
!
ip address 10.1.11.20 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.1.11.16 1
Hosts on the inside network (e0/1.21) are reachable:
asa5510/backhaul# ping 10.1.11.124
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.11.124, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
asa5510/backhaul# ping 10.1.11.125
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.11.125, timeout is 2 seconds:
!!!!!
But hosts on the outside network are not:
asa5510/backhaul# ping 10.1.11.16
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.11.16, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
However when I disable the inside interface:
asa5510/backhaul# conf t
asa5510/backhaul(config)# int e0/1.21
asa5510/backhaul(config-if)# no nameif
! ... wait a few moments
asa5510/backhaul# ping 10.1.11.16
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.11.16, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Then I can ping hosts on the outside interface!
Please help, I don't understand!
I've also tried 8.2(2) with the same results.
Thanks,
Philip
06-09-2010 11:08 AM
It seems you are trying to bridge vlan 21 and the native vlan. The host probably resides in the native vlan on the switch.
Can you check if the spanning tree on the switch blocks the port connected to the ASA?
PK
06-09-2010 11:22 AM
Hi PK,
Thank you for taking time to look at this.
The host doesn't reside on the native VLAN, and the e0/1 port is in trunked mode. The 'backhaul' network is a LAN extension service which bridges the 10.1.11.0/24 network off-site.
interface GigabitEthernet0/2
description server1 GB1
switchport access vlan 21
switchport mode access
end
06-09-2010 11:38 AM
Previous reply edited to give more detail.
Thanks,
Philip
06-09-2010 12:41 PM
Hi guys,
I could really do with some help on this one - the problem seems so odd. The setup is pretty simple though, I have a handful of servers on a switch, they're on VLAN 21. Then a trunked port goes from the switch to the ASA5510 which is connected directly to the 'backhaul' LAN extension service which is connected to the remote servers.
When I remove the nameif statement on the inside interface which has VLAN 21 on the backhaul context, I can ping the remote hosts at the far end of the LES, but I can't ping the local servers. When I put the nameif statement back, I can ping the local servers but not the remote ones.
It's driving me nuts, any advice would be greatly appreciated!
Thanks,
Philip
06-09-2010 02:17 PM
Try to traceroute from the ASA to see the path it takes.
Check if the ASA is sending the pings out and where they are going with a apcket capture on the ASA interfaces using the capture command.
PK
06-09-2010 03:12 PM
Thanks again PK, I finally solved this.
I hadn't considered all the implications of connecting an ASA in layer 2 mode to a trunked port, and it was leaking BPDUs across the firewall from the switch to the third-party backhaul network, which consequently blocked the port until they stopped.
I hope this proves useful to any future readers, it may even save a grey hair or two :-)
Thanks again,
Philip
06-09-2010 08:50 PM
Ha! It had to be a spanning tree issue.
Rate helpful posts.
Take care,
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide