10-14-2012 08:47 PM
Hi All,
I'm currently runnning a POC for the ASA 1000v and as such i'm using the nexus 1000V for the first time. My issue might be that i'm missing something fundamental with the nexus configuration. I have read the configuration guides and can't see any obvious issues in my config.
I have setup the Nexus 1000v and have created my port groups. I have the ASA 1000V internal interface and a test VM sitting on the "ClientA" network, this network is vlan 70.These 2 VM's cannot see each other.
However a laptop i have externally sitting on VLAN70 that can ping & access both the test VM and the ASA1000v, likewise the ASA1000v and test VM can ping & access the Laptop.
So the issue appears to be with traffic between guest VM's on the same DVS within the Nexus
I have attached my nexus config for reference, if anyone can shed any light on my issue it would be greatly appreciated.
Regards
10-19-2012 04:51 PM
I see you are using following port-profile for inside interface of ASA and your Test VM
port-profile type vethernet CLIENTA
vmware port-group
switchport access vlan 70
switchport mode access
vservice node ClientA-ASA profile Inside
org root/ClientA/TestDC/ASA
no shutdown
state enabled
This is enabling firewall on inside interface of ASA as well. You should not have firewall enabled for ASA inside interface.
To fix this create another port-profile without the "vservice" and "org" like the following:-
port-profile type vethernet CLIENTA-ASA-INSIDE
vmware port-group
switchport access vlan 70
switchport mode access
no shutdown
state enabled
Use this port-profile for your ASA inside interface.
11-14-2012 02:25 PM
Hi Vinod,
Thanks for that. I have made those changes but still no luck. I will be honest i've been too busy to properly look over/debug since. But once i get some more time i'll take a more indepth look and post back.
In any case thanks for pointing me in the right direction.
Regards,
11-15-2012 02:18 PM
HI All,
Still no joy with getting VM traffic through the ASA 100v/ nexus 1000v.
My current ASA1000v & Nexus1000v configs are attached.
The basics of the ASA config is as follows:
Gig 0/0 ( Inside ) connected to port group CLIENT-ASA-INSIDE
Gig 0/1 (Outside) connected to port group OUTSIDE
ASA Security profile:
Interface: security-profile1
Name: Sec1
Enabled: Yes
Security Profile: Inside
PLease also note, i have tried both of the followng under the CLIENTA profile on the Nexus:
vservice node ClientA-ASA profile Sec1
vservice node ClientA-ASA profile Inside
I have VM's on CLIENTA port group. The VM's can ping the ASA inside interface. The ASA can ping external IPs . But VM traffic cannot get to the internet.
Note: testing external access via ping to IP as well as web browsing etc.
Not sure where i'm going wrong but any assistance would be appreciated.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide