03-05-2020 06:58 PM - edited 03-05-2020 07:11 PM
Hello all,
I have configured 3 separate vlans using sub-interface on ASA firewall with 3 different security levels. And configured trunk with a layer-2 switch allowing all vlans to that trunk port.
See the below information for your better understanding :
Vlan 2 - 192.168.2.0/24 (Sec level- 100)
Vlan 3 - 192.168.3.0 /24 (Sec level- 50)
Vlan 4 - 192.168.4.0 /24 (Sec level - 70)
From Firewall Side
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.2
vlan 2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/0.3
vlan 3
nameif DMZ-1
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/0.4
vlan 4
nameif DMZ-2
security-level 70
ip address 192.168.4.1 255.255.255.0
!
object-group network inside
network-object 192.168.2.0 255.255.255.0
object-group network DMZ-1
network-object 192.168.3.0 255.255.255.0
object-group network DMZ-2
network-object 192.168.4.0 255.255.255.0
!
access-list all-allow extended permit ip any any
access-group all-allow global
!
Be mentioned that, when I configure my PC with access vlan 2 (sec level 100), I can ping the gateway (192.168.2.1) from my PC. But I can't ping the other two gateways. Higher Security level to Lower one should be reachable. Please suggest me what I can do to solve this issue.
03-05-2020 07:46 PM
03-05-2020 08:06 PM
Hi Ricky,
ICMP Inspection was enabled globally. Is there any possibility of inter-vlan routing issue ?
policy-map global_policy
class inspection_default
inspect icmp
03-05-2020 09:29 PM
You cannot ping an ASA interface that's remote from the interface that your traffic ingresses on. That's by design and cannot be changed. Better to test with a host on one of the other subnets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide