Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
6
Replies

Problem with Sub-interface on ASA 5520 v 8.2(2)16

Go to solution
gchevalley
Level 1
Level 1

‎09-10-2013 03:05 PM - edited ‎03-11-2019 07:36 PM

We have an ASA 5520 with various different DMZ's at different security levels.  One of the interfaces, gi0/2, is configured with sub-interfaces connected via a trunk to a 3560 switch.  I am trying to pass traffic from VLAN 4 to the inside network with limited success.  For some reason traffic for VLAN 4 is getting blocked by the acl for VLAN 2.  Is this a NAT issue?

192.168.193.4192.168.17.195Deny icmp src dmz2:192.168.193.4 dst inside:192.168.17.195 (type 0, code 0) by access-group "acl_dmz2" [0x0, 0x0]
192.168.17.1951192.168.193.40Built outbound ICMP connection for faddr 192.168.193.4/0 gaddr 192.168.17.195/1 laddr 192.168.17.195/1

 

Here is the interface configuration:

 

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1

vlan 2

nameif dmz2

security-level 60

ip address 192.168.19.1 255.255.255.0

!

interface GigabitEthernet0/2.2

vlan 3

nameif dmz3

security-level 30

ip address 192.168.20.1 255.255.255.0

!

interface GigabitEthernet0/2.3

vlan 4

nameif dmz4

security-level 90

ip address 192.168.193.1 255.255.255.248

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 192.168.17.1 255.255.255.0

nat (dmz4) 1 192.168.193.0 255.255.255.248

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to gchevalley

‎09-10-2013 06:22 PM

You are right.

For some reason the packets are getting to interface dmz2 instead of VLAN4. Are you running routing on the switch?

Mike

Mike

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎09-10-2013 04:05 PM

Hi;

Can we have a look at the access-lit acl_dmz2?

Mike

Mike
0 Helpful

Go to solution
gchevalley
Level 1
Level 1
In response to Maykol Rojas

‎09-10-2013 06:16 PM

acl_dmz2 shoukld have nothing to do with this?  I have not edited acl_dmz2 to allow or permit any traffic associated VLAN 4 under subinterface gi0/2.3.  All traffic on gi0/2.3 should be controled by acl_dmz4, not acl_dmz2.  acl_dmz2 should only control traffic on gi0/2.1.  I wouldn't think it would have anything to do with traffic on any other sub-interface.

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to gchevalley

‎09-10-2013 06:22 PM

You are right.

For some reason the packets are getting to interface dmz2 instead of VLAN4. Are you running routing on the switch?

Mike

Mike
0 Helpful

Go to solution
gchevalley
Level 1
Level 1
In response to Maykol Rojas

‎09-10-2013 06:27 PM

No, IP routing is not enabled but the native vlan for the trunk is default at vlan 1.

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to gchevalley

‎09-10-2013 06:30 PM

Can you do a quick capture on the ASA? Do the following:

capture dmz2 interface dmz2 match icmp host 192.168.193.4 host 192.168.17.195

Then do the ping and then do, "show cap dmz2 detail" check the mac address of the source of the packet and you will be able to see who is sending the packet to the incorrect vlan. 

Mike

Mike
0 Helpful

Go to solution
gchevalley
Level 1
Level 1
In response to Maykol Rojas

‎09-10-2013 06:40 PM

Ok, I'll do this once I get back to the office in a few days.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card