cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5855
Views
4
Helpful
45
Replies

Cannot ping interfaces

Roger Richards
Level 1
Level 1

Ok.. Good day, I have an ASA 5510 and a 2921 -

My ASA is used for VPN and Internet

My 2921 is used to connect different subnets

I also have an attached diagram

I have a directly connected interface on 2921-10.10.10.1 to the ASA 10.10.10.2

Also on the 2921 i have a subnet 192.168.2.0 and 10.20.30.0

I have trunk link on my switch 2950 from the 2921... The ASA is aslo connected to the switch

on the ASA

Int0/0 66.xxx.xxx.xxx internet

Int0/1 10.20.60.2 - Gateway for computers

Int0/2 10.10.10.2 - connected to 2921

on the 2921

gig0/1 10.10.10.1 - connected to ASA

gig0/1.20 sub-if 192.168.2.1

gig0/1.30 sub-if 10.20.30.1

I have connected some static routes to get from 10.20.60.0 to 192.168.2.0

I cannot ping 10.10.10.2 from my PC

I cannot ping 10.20.60.2 from my 2921

I would appreciate any ideas for configuration help...  And redesign...

What cannot happen is for us to use the 2921 for vpn and internet..

Thanks,,, see image.

1 Accepted Solution

Accepted Solutions

Roger

I think the way you have it now is the way to do it ie. use the 2921 to route the internal vlans and only use the ASA when you need to go to the internet or use the vpn. If you wanted to use the ASA to route the vlans then you would need additional configuration on it and i can't see the advantage of doing that unless you have security issues ?

Does this make sense ?

Jon

View solution in original post

45 Replies 45

Umesh Shetty
Level 1
Level 1

Hi Roger,

The config from routing perspective looks good, now since in both cases you are trying to ping the IP configured on the ASA firewall I wonder if there is a stealth rule thats dropping that traffic.(I am not an expert though with ASA, I would check that first).

Also if you have set the rule to allow ICMP between these subnets can you try 

1> Pinging from your PC to 10.10.10.1

2> From 2921 to ping your PC

Another suggestion would be since this probles is related to ASA you could post this in the Security section to get the security experts to help you.

HTH

Regards

Umesh

Jon Marshall
Hall of Fame
Hall of Fame

Roger

I cannot ping 10.10.10.2 from my PC

I cannot ping 10.20.60.2 from my 2921

You won't be able to because on the ASA this is a restriction by design ie you cannot ping another interface across the ASA.  You can obviously ping through the ASA ie. in one interface and out another (as long as your rulebase allows it) but if the destination IP of the packet is another ASA interface this will be blocked.

So what you are seeing is correct behaviour. Do you have a connectivity problem or was it just a query you had ?

Jon

Not connectivity issues but probems with provisioning some avaya phones using DHCP on W2K8 server . Just basically needed to do intervlan routing with the 2921 but we still need the ASA connected as default gateway. Sooooooooo....... i need lots of help. Maybe on a different forum. But thats how this all started.

Roger

Maybe on a different forum

If it's a problem with the phones then maybe the VOIP forums but if it is the network layout then this is the right forum.

If it is network layout etc. can you perhaps specify exactly what you want to be able to do and then we may be able to help you.

Jon

I got everything working. That "untagpvidonly" is a avaya command.

My real issue is I can ping anything on the 192.168.2.0 subnet but I cant actually login to any devices. If I can resolve that, it'll be great. Take another look at the attached diagram and tell what can I do. If I put my pc with a gateway address of 10.20.60.1 I can log into my phone call server, If I put my pc with 10.20.60.2 , it just hangs there

Roger

What is 10.20.60.1 ?

Jon

sorry I forgot to include 10.20.60.1. Its a sub interface on the 2921, and its dot1q is 10. Vlan 10. I coudnt see how else I colud have routed to the 192.168.2.0 network. and both subnet has ip helper pointing to a dhcp server.

Roger

I think the way you have it now is the way to do it ie. use the 2921 to route the internal vlans and only use the ASA when you need to go to the internet or use the vpn. If you wanted to use the ASA to route the vlans then you would need additional configuration on it and i can't see the advantage of doing that unless you have security issues ?

Does this make sense ?

Jon

Perfect sense... Thanks again jon....

Hey Jon,

I got another Issue. How can I use the 2921 for the internet ,my ASA has the 10.20.60.2 <-- as the gateway for my computers and also my 2921 has the interface 10.20.60.1 interface also?

i appreciate any information given.

Roger

This could get a bit complicated but not necessarily.

Your ASA has 2 internal connections, one to the switch and one to the 2921. But it only really needs the one connection to the 2921.  So all vlans internally are routed off the 2921 and you only go to the firewall for VPN and internet.

However that would mean changes to the 2921 and more importantly the ASA. The current ASA inside interface is on the 10.20.60.x network whereas it would move to the 10.10.10.0/31. This would mean a route change on the 2921 but potentially a fair bit more config on the ASA.

Before you did any of that thoug, on the ASA you have this route -

172.20.2.0 255.255.255.0 172.20.16.11 inside

what is the 172.20.2.x network and what device is 172.20.16.11 ?

Jon

thats a network on the other side on the vpn. I couldnt get to it from the 2921

Roger

If it is a network on the other side of the VPN then why does the ASA have a route pointing back into your network ie. the route is reachable via the inside interface of the ASA not the outside.

Not trying to be difficult but if i am to suggest changes i need to make sure i don't stop things working.

Jon

Sorry Jon, my apologeeez.. that was an experimentl route... it does not  serve a perpose. I do and will appreciate if i can get this task done.  It would solve my problems. (well at least the ones here)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco