Thanks for your replies guys, agreed the far-end interface will never ping.

BUT i cannot reach the GW on vlan 20 if i attach a laptop to the n5k-sw in same vlan. (Ps refer my previous visio).

Here is my firewall relevant config -

poc-asa1/actNoFailover# sh run interface | begin 0/9

interface TenGigabitEthernet0/9

description Nexus-Lab2

nameif lab1

security-level 100

no ip address

!

interface TenGigabitEthernet0/9.10

vlan 10

nameif lab2

security-level 100

ip address 10.1.1.2 255.255.255.252

!

interface TenGigabitEthernet0/9.20

vlan 20

nameif lab3

security-level 100

ip address 20.1.1.1 255.255.255.0

poc-asa1/actNoFailover(config)# sh run access-list

access-list lab2-in extended permit ip any any

access-list lab2-in extended permit icmp any any

access-list lab3-in extended permit ip any any

access-list lab3-in extended permit icmp any any

access-list lab2-out extended permit ip any any

access-list lab2-out extended permit icmp any any

access-list lab3-out extended permit ip any any

access-list lab3-out extended permit icmp any any

poc-asa1/actNoFailover(config)#

poc-asa1/actNoFailover(config)# sh run access-gro

access-group lab2-in in interface lab2

access-group lab2-out out interface lab2

access-group lab3-in in interface lab3

access-group lab3-out out interface lab3

any clues or i am being nuts !!

hello,

Do the following

cap capin interface lab3 match icmp client_ip host  20.1.1.1

cap asp type asp-drop all circular-buffer

Then try to ping the 20.1.1.1

Provide me the following information

-show cap capin

-show cap asp | include 20.1.1.1

Any other question.. Let me know.. Just remember to rate all of my answers.

Regards

Are you able to ping the ASA from the switch?

If you try to ping the PC from the ASA do you see an arp entry?

Can you share the configuration on the switch interface that connects to TenGigabitEthernet0/9

Regards,

Felipe.

Sorry, will post all this info on moday as these poc subnets are not enabled over the vpn.

Folks, here is the int config on the n5k swich -

poc-sw#

interface Ethernet1/17

  no switchport

  speed 1000

interface Ethernet1/17.10

  encapsulation dot1q 10

  ip address 10.1.1.1/30

  ip router ospf 100 area 0.0.0.0

interface Ethernet1/17.20

  encapsulation dot1q 20

I cannot ping the laptop (20.1.1.100) from the ASA, no arp entry. There are no results in the capture filters and the above acls do not show any hit-counts. -

poc-asa1/actNoFailover# show cap

capture capin type raw-data interface lab3 [Capturing - 0 bytes]

  match icmp host 20.1.1.100 any

capture asp type asp-drop all circular-buffer [Capturing - 6956 bytes]

poc-asa1/actNoFailover#

poc-asa1/actNoFailover# show cap asp | in

poc-asa1/actNoFailover# show cap asp | include 20.1.1

Looks like the traffic is not reaching the ASA sub-interface when exiting out of the switch`s sub-intf, so ...WTH??

I think you are trying to use a L3 switch as L2.

On interface E1/17.10 you configured an IP address with mask /30

On interface E1/17.20 you also need an IP address and this switch will do routing from the LAN network to the ASA.

Regards,

Felipe.

Did that, no luck..... Can ping b/w the ASA and the N5k-sw now..BUT the laptop still does not ping either of them... I am stumped !!

interface Ethernet1/9

  switchport access vlan 20

  speed 1000

Hello Sandevsingh,

From what I understood at the description of the problem you will use the ASA as the default gateway for vlan 20. So on the nexus side this interface ( the one connecting to the ASA) Should stay as a layer 2 trunk.

Now my question is witch interfaces are going to use the ASA as the default gateway? Can I have the vlans that will do that?

Regards

Indeed that is what needs to be done!

You must use one port as a dedicated layer 2 trunk.

You should create the vlan on the nexus switch

vlan 20

name test

Then just use x port to the asa

interface giga x/x

switchport mode trunk

switchport trunk allow vlan 20

Regards,