cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
799
Views
5
Helpful
9
Replies

Cisco ASA 5510 VPN to Inside/MGMT Issue

Geeo124
Level 1
Level 1

Hello all,

I am in the process of setting up my homelab which consists of:

1. Cisco ASA 5510 (Firewall, VPN and Gateway to my home network)

2. Cisco Catalyst 3570 (Core Switch within Lab)

3. Proxmox Servers (Access Devices)

 

Although I feel pretty confident with standard cisco config on the switch, I have little to no experience with ASA's or their syntax, and I am running into a few issues when setting this lab up.

 

I have successfully configured AnyConnect VPN, which places VPN users in the VPN Pool of 10.137.250.0/24 network. This is incoming on the outside interface. I have also set up SSH and ASDM access to the outside interface (192.168.1.250) which sits on my home LAN.

 

The issue is that when I am on the VPN Pool subnet, I am unsure how to configure access from the VPN Pool to the:

1.Inside transit network (10.137.10.0) which sits on the Inside interface

2.Management network (10.137.245.0) which sits on the mgmt interface (which is connected to the core switch).

3.Server network (10.137.20.0) which is connected to the Core Switch.

 

Currently, I am unable to ping/ssh any of the addresses that sit internally behind the ASA.

 

For reference, my ASA is connected to my Core switch on E0/1, and my Core switch is then connect to my ASA's management port.

 

I would greatly appreciate any help in getting this ASA set up for correct access. Fundamentally the most important thing is getting ssh/ping access to all the internal networks that sit behind the Inside and mgmt ports.

 

Here is my ASA running config:

 

OAK-FWL-01# show run
: Saved
:
ASA Version 8.3(1)
!
hostname OAK-FWL-01
enable password mTzgJKxqgKpa6nkx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.250 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.137.10.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif mgmt
security-level 0
ip address 10.137.245.10 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface
object network VPN
subnet 10.137.250.0 255.255.255.0
access-list VPN_CLIENTS_OUT extended permit ip object VPN any
access-list SPLIT_TUNNEL standard permit 10.137.250.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 10.137.10.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
ip local pool ANYCONNECT_NOC_POOL 10.137.250.1-10.137.250.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,inside) source static VPN VPN
!
object network VPN
nat (outside,outside) dynamic interface
!
router eigrp 1
network 10.137.10.0 255.255.255.252
network 10.137.245.0 255.255.255.0
network 10.137.250.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 outside
ssh 10.137.250.0 255.255.255.0 inside
ssh timeout 15
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-filter value VPN_CLIENTS_OUT
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
group-policy ANYCONNECT_GRP internal
username geeo password RJHlWrNM5VlNIBRv encrypted privilege 15
username a-geeo password RlecWZhj9hULid8p encrypted privilege 0
username a-geeo attributes
vpn-group-policy DfltGrpPolicy
tunnel-group ANYCONNECT_USER type remote-access
tunnel-group ANYCONNECT_USER general-attributes
address-pool ANYCONNECT_NOC_POOL
tunnel-group ANYCONNECT_USER webvpn-attributes
group-alias noc enable
group-url https://192.168.1.250/noc enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e25209cb850af135f8adb7f7948716af
: end

9 Replies 9

@Geeo124 

You'll need a NAT exemption rule, to ensure traffic is not unintentially translated. Example:-

 

object network LAN-1
 subnet 10.137.10.0 255.255.255.0

nat (inside,outside) source static LAN-1 LAN-1 destination static VPN VPN no-proxy

 

You'll need to add your other networks (10.137.245.0 and 10.137.20.0) to the split-tunnel ACL and duplicate the NAT configuration above.

 

Is 10.137.20.0 learnt via EIGRP? as I see no static route.

Hello Rob,

Thank you for your reply! I have implemented your suggestions and I seem to
have progressed further.

As it stands, on my laptop that is within the VPN Pool 10.137.250.0 network
I am able to ping the inside interface IP on the ASA (10.137.10.1), but
not the switch interface on the other side of that link (10.137.10.2).

The same goes for pinging the MGMT port on the ASA from the VPN Subnet,
along with being unable to ssh.

However, when attempting an SSH to the MGMT port, I now get a "connection
refused" prompt, which leads me to believe that this is a step in the right
direction.

Also, as the ASA is able to ping all required networks, it makes me think -
do I need to enable inter-interface ping manually on the ASA for connected
clients? I am unsure what the best practice is.

Thank you for all your help so far! I feel like this is close to a
resolution.

Thanks,

Geeo

Hello again,

 

I have performed some tinkering and I have managed to gain ssh access to the ASA's management port (it was management-access mgmt) that did it for me.

 

However, the fundamental problem still persists. I am unable to ping/access anything behind the inside ASA interface (aka the core switch that is directly connected to the inside interface). I believe it may be something to do with routing, however both the switch and ASA can successfully ping each other. The only network that the switch cannot ping however is the ASA's Outside network/interface, but I believe that is probably standard for most ASA's.

 

If anyone is capable to have a look at my Switch and ASA running config, I would be very grateful.

 


ASA Running config

 

OAK-FWL-01# show run
: Saved
:
ASA Version 8.3(1)
!
hostname OAK-FWL-01
enable password mTzgJKxqgKpa6nkx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.250 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.137.10.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif mgmt
security-level 0
ip address 10.137.245.10 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface
object network VPN
subnet 10.137.250.0 255.255.255.0
object network LAN-1
subnet 10.137.10.0 255.255.255.0
object network LAN-2
subnet 10.137.245.0 255.255.255.0
object network LAN-3
subnet 10.137.20.0 255.255.255.0
access-list VPN_CLIENTS_OUT extended permit ip object VPN any
access-list SPLIT_TUNNEL standard permit 10.137.250.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 10.137.10.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 10.137.245.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 10.137.10.0 255.255.255.252
access-list SPLIT_TUNNEL standard permit 10.137.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
ip local pool ANYCONNECT_NOC_POOL 10.137.250.1-10.137.250.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,inside) source static VPN VPN
nat (inside,outside) source static LAN-1 LAN-1 destination static VPN VPN
nat (inside,outside) source static LAN-3 LAN-3 destination static VPN VPN
nat (inside,outside) source static LAN-2 LAN-2 destination static VPN VPN
!
object network VPN
nat (outside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.137.10.0 255.255.255.0 10.137.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 outside
ssh 10.137.250.0 255.255.255.0 mgmt
ssh timeout 15
ssh version 2
console timeout 0
management-access mgmt
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-filter value VPN_CLIENTS_OUT
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
group-policy ANYCONNECT_GRP internal
username geeo password RJHlWrNM5VlNIBRv encrypted privilege 15
username a-geeo password RlecWZhj9hULid8p encrypted privilege 0
username a-geeo attributes
vpn-group-policy DfltGrpPolicy
tunnel-group ANYCONNECT_USER type remote-access
tunnel-group ANYCONNECT_USER general-attributes
address-pool ANYCONNECT_NOC_POOL
tunnel-group ANYCONNECT_USER webvpn-attributes
group-alias noc enable
group-url https://192.168.1.250/noc enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6d25aaf665e92eb416c88050a82e07de
: end

 


Switch Running Config

 

 

OAK-SWC-01#show run
Building configuration...

Current configuration : 4434 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname OAK-SWC-01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$vSle$ycN.S2hhZL4EheM7GPIz7.
!
username a-geeo password 7 130A5F1009450D2B29233C35337343
no aaa new-model
switch 1 provision ws-c3750v2-48ps
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name oakgrove.com
!
!
!
!
crypto pki trustpoint TP-self-signed-3646102912
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3646102912
revocation-check none
rsakeypair TP-self-signed-3646102912
!
!
crypto pki certificate chain TP-self-signed-3646102912
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363436 31303239 3132301E 170D3933 30333031 30303031
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343631
30323931 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E9B0 CE1C2FCF E48FE7C7 CAB66CEC C061F12F D65AC37E 3D1C4791 62FE8822
0EDE599A 07752462 3AE66593 B5E455FA 37AA2E23 F8A6A0E3 F1921F22 C7218B89
85D20D95 F7BC4308 3642627A E9230B22 A8137030 B8A09BC1 1714F5AD 5E064991
ED8567EF 3DB6F065 4863D7D3 2E8211B5 FCE138A1 7043BF7D 360CC2E3 545C9725
E4070203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 174F414B 2D535743 2D30312E 6F616B67 726F7665 2E636F6D
301F0603 551D2304 18301680 144158B4 E50E19B7 821C1139 FF0FF93C FEE435B9
18301D06 03551D0E 04160414 4158B4E5 0E19B782 1C1139FF 0FF93CFE E435B918
300D0609 2A864886 F70D0101 04050003 818100D3 9AFEB7BC 8535ED12 EDF5D574
9F2DCED8 5804A6BC 78D04A19 C8057C99 FF6DC25E EA8228CB 4C41A49E 5BFE904B
0D5DE40A 5A20F600 62EBDDF9 4C31DBDE D4C429DB 8026CF37 612D4AC2 1B6F6DF8
79AF69E1 06529192 92C801E6 A0B05FD7 B4623B84 86156713 C7B7EF34 603132C4
52CB8A0B 0AE9E578 DC406A80 8CA31C28 051222
quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
description UPLINK TO FWL 1
no switchport
ip address 10.137.10.2 255.255.255.252
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface FastEthernet1/0/25
!
interface FastEthernet1/0/26
!
interface FastEthernet1/0/27
!
interface FastEthernet1/0/28
!
interface FastEthernet1/0/29
!
interface FastEthernet1/0/30
!
interface FastEthernet1/0/31
!
interface FastEthernet1/0/32
!
interface FastEthernet1/0/33
!
interface FastEthernet1/0/34
!
interface FastEthernet1/0/35
!
interface FastEthernet1/0/36
!
interface FastEthernet1/0/37
!
interface FastEthernet1/0/38
!
interface FastEthernet1/0/39
!
interface FastEthernet1/0/40
!
interface FastEthernet1/0/41
!
interface FastEthernet1/0/42
!
interface FastEthernet1/0/43
!
interface FastEthernet1/0/44
!
interface FastEthernet1/0/45
!
interface FastEthernet1/0/46
!
interface FastEthernet1/0/47
!
interface FastEthernet1/0/48
switchport access vlan 50
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan50
ip address 10.137.245.1 255.255.255.0
!
interface Vlan200
ip address 10.137.20.1 255.255.255.0
!
ip default-gateway 10.137.10.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.137.10.1
ip route 10.137.245.0 255.255.255.0 10.137.10.1
ip route 10.137.250.0 255.255.255.0 10.137.10.1
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login
!
end

 


Thanks again guys!

@Geeo124 you didn't answer my previous question about EIGRP, but I assume from the switch output above you don't have EIGRP configured between the ASA and the switch? In which case the ASA doesn't have static routes to the vlan50 network. Add this

 

route inside 10.137.20.0 255.255.255.0 10.137.10.2

 

You don't need a static route to the connected network, remove - no route inside 10.137.10.0 255.255.255.0 10.137.10.2 1

 

If that still doesn't work please run packet-tracer from the CLI and provide the output for review. Example:-

 

packet-tracer input inside tcp 10.137.250.10 3000 10.137.20.10 80

 

Ensure you don't have an active anyconnect user connected and using the source IP address I used in the example above.

 

You cannot be connected to the inside interface and ping through the ASA to the ASAs outside interface, that won't work by design.

Hello Rob! thanks for the reply.

 

Apologies for not answering the EIGRP Question. I removed EIGRP from the running configuration of both devices as I decided to go with static routing as there are only two networking devices in my homelab.

 

I have done as you said, I performed the packet tracer command to the 10.137.10.1 IP address ( the interface on the switch) as I have disconnected the proxmox server and just have the switch and firewall connected to each other to troubleshoot.

 

The command and results of the packet tracer are as follows:


OAK-FWL-01(config)# packet-tracer input inside tcp 10.137.250.10 3000 10.137.1$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.137.10.1 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


As you can see, it is seemingly hitting the implicit deny, although I have configured the networks to be permit in my SPLIT_TUNNEL ACL. Maybe I need to add another ACL rule somewhere?

 

Thanks again,

 

Geeo

@Geeo124 generate traffic through the device, not to the device. 10.137.10.1 is the inside interface of the ASA. Ping the switch 10.137.10.2 and run a packet-tracer for the 10.137.20.0 network too.

 

When running packet-tracer the destination doesn't necessarily need to exist, the ASA will simulate the traffic flow.

Hello Rob, It seems the ping from VPN Subnet to Switch Interface is working now!

 

Here is the Firewall Sucessfully pinging, along with the packet tracer to the 10.137.20.0 network


OAK-FWL-01# ping 10.137.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.137.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


OAK-FWL-01# packet-tracer input inside tcp 10.137.250.10 3000 10.137.20.10 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.137.20.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5475, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow


The only thing that I cannot ping from the VPN subnet is the 10.137.245.1 address, which is the VLAN 50 SVI where the MGMT interface is connected to. The route in my head is "ASA 10.137.10.1 ----> SWITCH 10.137.10.2 ------> SVI 10.137.245.1" but I think the ASA is trying to send traffic to the 10.137.245.0 network through the MGMT interface instead of the switch as it is considering it directly connected, which wont work as it is a mgmt interface.

 

Assuming I can configure connectivity from the VPN pool to the management vlan SVI, the only thing left to do in the configuration is ensure that the 10.137.20.0 (proxmox) network can communicate with the internet. Do I just need to repeat the configuration that I did for VPN_CLIENTS_OUT but for the proxmox network?

 

thanks,

 

Geeo

@Geeo124 

 

object network LAN-3
 subnet 10.137.20.0 255.255.255.0

 nat (inside,outside) dynamic interface

 

Hello Rob,

 

Thank you for all your help and efforts.

 

I am able to successfully ping the 10.137.20.1 IP address (the switch SVI).

 

The link between the switch and the proxmox server is a trunk link (as I imagine there will be multiple VLANS from different VMS). As I am able to ping the SVI for the Proxmox VLAN but not the Proxmox server itself (10.137.20.10), is there anything off the top of your head that I may be missing?