Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
0
Helpful
6
Replies

How to route between vlans using asa

Georgi Kostov
Level 1
Level 1

‎11-26-2014 02:29 AM - edited ‎03-07-2019 09:40 PM

Hi there All,

I am trying to make the asa to routing on the same interface (intra-interface). The infrestructure in my place is:

1. A ISP router conected to the ASA outside interface 
2. ASA 
3. A switch with two vlans (VLAN 101 172.20.53.35 and VLAN 102 10.2.0.30) 

i would like to access the 10.2.0.0 network from 172.20.53.0

 

With this config i cant ping the SW VLAN 102 (10.2.0.30) 

 

Thank for your time.

Labels:
Preview file
9 KB
Preview file
1 KB
0 Helpful
6 Replies 6

Karsten Iwen
VIP
VIP

‎11-26-2014 03:13 AM

It seems that your switch is a L3-switch that has both vlans configured. In this case the switch will do the routing between the vlans and not the ASA. Based on the ASA-config it should work.

  1. How do you test it?
  2. Can you reach the ASA inside interface from the switch?
  3. In the switch-config you have a vlan 103 while in your post you are talking abount vlan 102. Just a typo in your post? Otherwise that could be also the reason.
0 Helpful

Georgi Kostov
Level 1
Level 1
In response to Karsten Iwen

‎11-26-2014 03:49 AM

From asa i cant ping 10.2.0.30 (the vlan103 interface) 

From switch i can ping 172.20.53.1

Also from a host in vlan 101 i cant ping host in vlam 103 

 

Also i should say that i have a dhcp server in vlan 101 that set a GW 172.20.53.1 to all host in VLAN 101

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to Georgi Kostov

‎11-26-2014 04:10 AM

> Also i should say that i have a dhcp server in vlan 101 that set a GW 172.20.53.1 to all host in VLAN 101

The GW for the clients should be the ip-address of the vlan 101-interface on the switch. With the ASA as a gateway you open up many problems that can easily be avoided.

Can you ping from a host in Vlan 101 (with GW set to the switch-ip) to a host in Vlan 103? If not, the problem is located at the switch.

0 Helpful

Georgi Kostov
Level 1
Level 1
In response to Karsten Iwen

‎11-26-2014 04:36 AM

Thank for you help Karsten.

i set a static GW 172.20.53.35 on a host from vlan 101 

i can ping the vlan 103 interface 10.2.0.30 but cant ping any host from 10.2.0.0/24

and also i dont have an access to internet  

0 Helpful

Karsten Iwen
VIP
VIP
In response to Georgi Kostov

‎11-26-2014 05:41 AM

For testing traffic through the ASA, first make icmp statefull:

policy-map global_policy
 class inspection_default
  inspect icmp

 

What gateway do the clients on the vlan 103 have. Is it 10.2.0.30? Can they ping the switch interfaces (both)?

Is there a windows-firewall active on the client that you tried to ping?

0 Helpful

Georgi Kostov
Level 1
Level 1
In response to Karsten Iwen

‎11-26-2014 06:54 AM

Sorry i dont have problem with internet.

But the strange is that:

When i set a host in vlan103 with GW 10.2.0.30 and ip 10.2.0.50 and a host in vlan101 with 172.20.53.161 and GW 172.20.53.35

from vlan103 host i can ping both interfaces of the switch

i can ping from vlan103 host vlan101 host but oposite is not possible

0 Helpful
Customers Also Viewed These Support Documents