Solved: Does it possible ASA 5512-X with Switch 2960 (Inter-Vlan)

chhayheng · ‎05-26-2015

Dear Everyone!!

(Cisco 5512-X)
interface GigabitEthernet0/0
description Intranet
speed 100
duplex full
nameif inside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.101
description NAC_DR
vlan 101
nameif nac_prod
security-level 80
ip address 21.20.20.1 255.255.255.0
!
interface GigabitEthernet0/1.201
description NAC_UAT
vlan 201
nameif nac_uat
security-level 60
ip address 22.20.20.1 255.255.255.0

-------------------------------------------------------

SWITCH (2960)

interface range FastEthernet0/1 - 12
switchport mode access
switchport access vlan 101
!
interface range FastEthernet0/13 - 23
switchport mode access
switchport access vlan 201
!
interface FastEthernet0/24
description To Firewall
switchport mode trunk
load-interval 30
speed 100
duplex full

What is the problem ?

Karsten Iwen · ‎05-26-2015

> What is the problem ?

The main problem is, that you don't ask a question ... ;-)

So, which problem do you have?

View solution in original post

Karsten Iwen · ‎05-26-2015

Is it only ping that fails or also other traffic? Have you enabled icmp-inspection on the ASA?

Which addresses do you ping from which device?

View solution in original post

Karsten Iwen · ‎05-26-2015

> What is the problem ?

The main problem is, that you don't ask a question ... ;-)

So, which problem do you have?

chhayheng · ‎05-26-2015

Hello Karsten :)

I have to configure Inter-Vlan between ASA 5512-X with Cisco Switch 2960.
When I ping from one vlan to other vlan it not reach each other.

Best Regards,

Chhayheng

Karsten Iwen · ‎05-26-2015

Is it only ping that fails or also other traffic? Have you enabled icmp-inspection on the ASA?

Which addresses do you ping from which device?

chhayheng · ‎05-27-2015

I already applied icmp-inspection.

I want to ping from IP 21.20.20.1 to 22.20.20.1 .

Karsten Iwen · ‎05-27-2015

> I want to ping from IP 21.20.20.1 to 22.20.20.1 .

These are the addresses of your ASA. Ping from a system in the connected LAN to a system on the other LAN.

And do a packet-tracer to see what the ASA would do with the traffic. Perhaps it's missing/wrong access-control or NAT:

packet-tracer input nac_prod icmp 21.20.20.x 8 0 22.20.20.x

chhayheng · ‎05-27-2015

One more thing. I do research on google about InterVlan (ASA work with switch layer 2 ). Does it possible to configure inter-vlan between ASA5512-X with Layer2 Switch ?

The result:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Result:
input-interface: nac_prod
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Karsten Iwen · ‎05-27-2015

Yes, the ASA can be used for inter-vlan-routing. That's a quite common implementation.

But your packet-tracer shows that you probably used the command with wrong addresses. With directly connected interfaces, there can't be a route missing. You probably entered an address that was remote to the ASA.

chhayheng · ‎05-27-2015

I already fixed it by some question

First: ACL
Second: If the same security level (Allow the same-security)

Best Regards,

Chhhayheng