Hi,

**I completely missed the attachments (checking via ipad) I will check these later and edit my post

If you issue a show nat detail does the nat configuration cover the translations properly. Also in your default policy-map have to turned added the "inspect icmp"? You may want to turn on monitor debugging and see why the icmp traffic is being dropped. You can also run the packet-tracer command to see if the traffic is allowed:

packet-tracer input inside icmp 0 8 ....(you should be able to use the interactive prompts to walk you through the rest).

Thanks,

Sent from Cisco Technical Support iPad App

Tarik,

I changed our setup per Jouni's recommendations, and that fixed our internet access problem.

But we still could not ping internet hosts from the inside interface. Adding the inspect icmp to our global_policy allowed the pings to go through.

Thanks for your suggestion.

Sorry for the delay, just got back to the devices this morning.

I applied the new vlan/link network between ASA and switch config, and things are working great now.

I can access the internet from our internal vlans - 10, 20, and 30.

Thank you for you help!

Hi,

Thank you for the rating and for letting us know how it went.

I would like to add though that if you decided to configure a link network/Vlan between the L3 Switch and ASA that you wont really be able to control the traffic between the local Vlans other than on the L3 Switch which wouldnt be a desirable solution.

On the other hand if the above is fine and you dont have any need to limit traffic between these Vlans, then there should be no problem.

If you would like to control the traffic between the internal Vlans I would suggest Trunking them to the ASA and therefore moving the internal networks gateway to ASA. Then you could easily make the access rules as you want and monitor the traffic between the internal networks.

Good thing its working now atleast.

I completely forgot to point out the "inspect icmp" configuration.

- Jouni

Hi JouniForss,

I am a little confused about "New Vlan/Link Network between Switch and ASA" , why do we need to create a new vlan 100 and then allocate  GigabitEthernet1/0/47 into vlan 100.And Why don't we configure the ip 172.16.100.2 directly on GigabitEthernet1/0/47. what's the best practice? If we use the vlan method, how did the traffic go from ASA to switch. How does ASA learn the vlan ip ,using broadcast? Thanks!

Ah,

I guess you might aswell also configure the single physical port you mention as a router port with "no switchport" configuration and avoid all the vlan configurations.

That should be possible too.

- Jouni

Hi JouniForss,

Thanks for your prompt reply.My main concern is how router port communicate with access port in the vlan method scenario.How does the ASA learn arp information of interface vlan 100 to forward traffic?Thanks!

Hi,

If you have the L3 switch setup where there is an interface Vlan100 and a single port assigned as Access port and this port is used towards the ASA then there should really be no problem related ARP.

ASA will naturally have a "route" configuration for all the network behind its interface pointing to another address on the same network/subnet as its interface. If it doesnt have an ARP information already (which it will) it will simply use ARP to determine the MAC address of the gateway IP address configured in the "route" command and naturally the Vlan100 interface will reply.

For example in my home ASA5505

• ASA LAN interface 10.0.10.2
• ROUTER interface 10.0.10.1

I clear arp on the ASA and have "debug arp" on. The ASA then determines the IP/MAC pair with ARP

arp-req: generating request for 10.0.10.1 at interface LAN

arp-req: request for 10.0.10.1 still  pending

arp-in: response at LAN from 10.0.10.1 aca0.1679.6d1a for 10.0.10.2 0025.45f4.0aa2

- Jouni

Thanks Jouni for the detailed explanation.Really appreciate it.Thanks!