Troubleshooting 1-way connectivity between 6506 and ASA55xx

drumrb0y · ‎03-29-2012

I haven't added to my entwork in a while, so I might be a bit rusty on LAN connectivity troubleshooting.

I have an ASA55xx that will be the L3 core of a new network infrastructure; the VLANs defined on the edge switches will trunk to a DMZ interface on the ASA and subinterfaces will route internally. My old network will connect via a "transit" DMZ interface and the outside interface will be configured as is typical.

My problem is that I only have 1-way connectivity between a ASA subinterface and my old network; a simple diagram is:

Servers -> subinterface (10.10.200.1) -> DMZ interface -> [ASA55xx] -> transit interface -> [6506] -> L3 VLAN (10.10.3.1) -> My workstation

I can ping from the ASA to my workstation at 10.10.3.x, but I cannot ping the subinterface 10.10.200.1 from my workstation.

I suspect that it might be a NAT issue, but configuring NAT bypass did nothing.

Partial ASA config:

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xx.xx.xx.xx yy.yy.yy.yy

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.162

description VLAN-162

vlan 162

nameif inside162

security-level 100

ip address 10.10.162.1 255.255.255.0

!

interface Ethernet0/1.179

description BACKBONE

vlan 179

nameif inside179

security-level 100

ip address 10.10.179.254 255.255.255.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.200

description VLAN-200-TKRDMZ

vlan 200

nameif dmz200

security-level 50

ip address 10.10.200.1 255.255.255.0

!

interface Ethernet0/3

nameif transit

security-level 75

ip address 10.10.250.1 255.255.255.240

!

access-list transit-nat-bypass extended permit ip 10.10.162.0 255.255.255.0 interface transit

!

nat-control

global (outside) 1 interface

nat (transit) 0 0.0.0.0 0.0.0.0

nat (inside162) 0 access-list transit-nat-bypass

nat (inside162) 1 10.10.162.0 255.255.255.0

nat (dmz200) 1 10.10.200.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx

route transit 10.10.3.0 255.255.255.0 10.10.250.12 1

route inside179 10.10.179.0 255.255.255.0 10.10.179.1 1

I can provide Cat6500 config lines also, but I don't think that the issue lies there.

Any opinions will be welcomed.

~Thanks!

Reza Sharifi · ‎03-29-2012

From the 6506, can you ping the ASA (10.10.200.1)?

drumrb0y · ‎03-30-2012

Thanks for your reply;

No, I cannot ping the ASA from the 6506; however, the ASA can ping the 6506 and my workstation beyond. I also noted that the ASA doesn't show up in a 'show cdp neighbors' on the 6506.

Reza Sharifi · ‎03-30-2012

Can you check and see if the 6500 has a static route towards the firewall (10.10.200.0/24)?

if not, add it and test again.

drumrb0y · ‎03-30-2012

There is a static route in place:

ip route 10.10.200.0 255.255.255.0 10.10.250.1

Zeeshan Siddiqui · ‎03-30-2012

Hi drumrby,

You can ping the 6506 from the ASA do you have any managment interface / other onterface between the ASA anf 6506 that may explain why you can ping the 6506.

Can you run the command

sh int ip brief on the ASA to check if the interface are up

Kind Regards,

Zee

drumrb0y · ‎03-30-2012

The only interface that connects my old network to the new one is the 'transit' interface; the output of the command is:

ASA1# sh int ip brief

Interface IP-Address OK? Method Status Protocol

Ethernet0/2 unassigned YES unset up up

Ethernet0/2.188 10.10.188.1 YES CONFIG up up

Ethernet0/2.200 10.10.200.1 YES manual up up

Zeeshan Siddiqui · ‎03-30-2012

From the 6506 can you ping 10.10.250.1 ?

Do you have any ACLs ? by default higher security level can access lower security level If I can remeber for ICMP you need to specially allow it or you need to do some inspection on ICMP

If not try testing on L2 (this will avoid any ACL / Security Zones you may have)

Try testing with L2 configure L2 vlan ID 200 on the 6506 and plug in a laptop in a port in vlan 200 using an IP address in 10.10.200.x

I hope this helps.

thomas.satafer.fan · ‎03-30-2012

You should try to ping servers instead as DMZ interface's security level normally doesn't allow pinging.