cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
701
Views
110
Helpful
10
Replies

VLAN Merging on interfaces/zones on ASA 5555

So I have a  ASA 5555. On it I have directly connected interfaces going out to customers. Well one customer wants to be able to talk to another to share information and resources. I thought cool no problem I go into the ASDM allows each zone to talk to other in the ACL rules since they have the same level of 100. Then I go to the CLI and configure both inter-area permit and intra-area permit configs. Then I go back into the ASMD and allow icmp and echo replies as well as going into the service policy rules and allow icmp inspection.  I go to ping from one interface to the gateway of my other zone and nothing but ???? so I'm stomped as to what could be the issue. Essentially these guys used the term vlan merging which I know in our world of networking we think WHAT! But after speaking with them I got the jist of what they wanted to accomplish and they just want to be able to talk and share resources

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@DerekLazarus78183 when you say " I go to ping from one interface to the gateway of my other zone and nothing but ???? so I'm stomped as to what could be the issue." - are you pinging through the ASA to another ASA interface IP address? If so you cannot by design do that, you need to ping through the ASA to a device behind the ASA.

 

If that's not what you meant do you have NAT configured that could be unintentially translating the traffic? Create a NAT exemption rule.

 

Please run packet-tracer from the CLI and provide the output.

View solution in original post

10 Replies 10

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@DerekLazarus78183 when you say " I go to ping from one interface to the gateway of my other zone and nothing but ???? so I'm stomped as to what could be the issue." - are you pinging through the ASA to another ASA interface IP address? If so you cannot by design do that, you need to ping through the ASA to a device behind the ASA.

 

If that's not what you meant do you have NAT configured that could be unintentially translating the traffic? Create a NAT exemption rule.

 

Please run packet-tracer from the CLI and provide the output.

I am pinging from one ASA sub-interface to another sub-interface on the same ASA. So if I am tracking what you are saying I need to see if I can hit a device versus a gateway. Also there is no NAT configured

@DerekLazarus78183 yeah pinging one ASA interface to another won't work.

Ping through the ASA to another device.

Got it I'll give that a try !

So tried pinging a device and same result I am wondering if I should go create a route to and from the subnet I am trying to reach

@DerekLazarus78183 routing would be a consideration, but the ASA would already know how to reach those networks?

It's possible NAT (if configured) could be unintentially translating the traffic also.

You are correct it definitely didn't like the fact I tried to route it. It spit out an error stating it was a connected interface so it couldn't add it. I dont have NAT configured so this is really giving me fits figuring it out.

@DerekLazarus78183 ok, please run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.

So I ran the packet tracer and it pretty much let me know it was the last ACL in the security zone ip "any" "any" deny. Problem with this is that particular statement has to be in place for our environment.

Follow up to comment above after twiddling my thumbs I went to the ASA and pinged from a device in the arp table to another device in the ARP table on a seperate vlan and it was successful so I believe I may be good to to just waiting on my users to verify.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers