ASA 5520 Sub Interface problems

Answered Question
Mar 27th, 2007
User Badges:

Hi All,


Another question :(


On an ASA 5520 I am trying to configure sub interfaces. However was created I am unable to ping that sub interfaces address from anywhere outside of its subnet. The setup is as follows:


GIG0/0 Inside, 10.177.8.41, 255.255.255.248, Native, Security level 100

GIG0/0.27 Test, 10.177.27.240, 255.255.255.0, Vlan 27, Security level 100

GIG0/1 Outside, 1.1.1.1, 255.255.255.248, Native, Security level 0


Configured routes are:


10.177.0.0, 255.255.128.0 > 10.177.8.46



If I ping from a device within the 10.177.27.x subnet I can reach the Test subinterface. If I ping from outside of that subnet (ie from my machine of 10.177.29.251) I get no response. The logs on the ASA show the following:


110003 Routing failed to locate next hop for icmp from Test:10.177.27.240/0 to Test:10.177.29.251/0


On my switch which connects the ASA to the network I have the uplink configured as untagged for the 10.177.8.40 network and tagged for vlan 27 (10.177.27.0/24).


I've looked through the Cisco Press book and the online docs and followed everything mentioned. The behaviour of the failed pings is typical of devices configured without any default gateway. I would imagine the routing on the box should take care of that.


I've also tried enabling communication between interfaces with the same security level or between multiple hosts on the same interface.


Any help greatly appreciated.

Correct Answer by vitripat about 10 years 2 months ago

Hello Jason,


It seems that issue is neither with the trunking, nor with the bug as mentioned previously on this post.


ASA is behaving as it is expected to. Let me explain.


Test interface connects directly to 10.177.27.0/24 network only. Then you have the route-


10.177.0.0 255.255.128.0 --> 10.177.8.46


Now you are initiating PING from 10.177.29.251, which as per the configuration of ASA is on the Native interface, because the above route points to 10.177.8.46, which is part of the Native interface.


So logically, your host which is on the Native interface, is trying to ping altogether a different interface of ASA. This is simply not possible. ASA does not allow to ping the other side interface from a host on a different interface. Please refer to following link for the same-


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown


However, if you requirement is that 10.177.29.251 should be in vlan27, then we need to make configuration changes on the ASA.


Let me know if this explains the bhaviour of ASA. Hope this helps.



Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
DfyAnt Tue, 03/27/2007 - 06:34
User Badges:

You need to setup a trunk between the ASA and a router. Remember, the ASA is not a router and cannot route between vlans.

jason.scott Wed, 03/28/2007 - 00:04
User Badges:

Hrm, that sounds like it should be the cause, however we're running 7.2(10) which I believe includes the fix for this particular bug.


Having said that I would've thought the ASA would return a message stating the packet was denied because of internal policies rather than complaining of a routing issue.

Correct Answer
vitripat Tue, 03/27/2007 - 18:43
User Badges:
  • Gold, 750 points or more

Hello Jason,


It seems that issue is neither with the trunking, nor with the bug as mentioned previously on this post.


ASA is behaving as it is expected to. Let me explain.


Test interface connects directly to 10.177.27.0/24 network only. Then you have the route-


10.177.0.0 255.255.128.0 --> 10.177.8.46


Now you are initiating PING from 10.177.29.251, which as per the configuration of ASA is on the Native interface, because the above route points to 10.177.8.46, which is part of the Native interface.


So logically, your host which is on the Native interface, is trying to ping altogether a different interface of ASA. This is simply not possible. ASA does not allow to ping the other side interface from a host on a different interface. Please refer to following link for the same-


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown


However, if you requirement is that 10.177.29.251 should be in vlan27, then we need to make configuration changes on the ASA.


Let me know if this explains the bhaviour of ASA. Hope this helps.



Regards,

Vibhor.

DfyAnt Tue, 03/27/2007 - 21:37
User Badges:

I can ping from one interface to another on my firewall. I have icmp enable of course.

By the way, your link is for PIX Software Versions 4.1(6) to 4.2(2).


I dont agree with you.

vitripat Wed, 03/28/2007 - 00:52
User Badges:
  • Gold, 750 points or more

It seems that you have not at all understood what I explained and gave your opinion. First off, we were not talking about pinging the firewalls interfaces from firewall itself. We were talking about pinging firewalls interface from a host on different interface. I hope you understand this now.


Next, it seems that you didnt carefully read the link posted also. Here is a line from the link-


"Components Used


The information in this document is based on PIX Software versions 4.1(6) and later."


This looks very contradictory to your statement- "By the way, your link is for PIX Software Versions 4.1(6) to 4.2(2)."


I hope you are clear on this now. Let me know if you need further clarifications.


Regards,

Vibhor.

jason.scott Wed, 03/28/2007 - 00:01
User Badges:

Thanks Vibhor. I started to think along these lines yesterday and come to the same conclusion. Presumably however if some ACLs were configured I should be able to permit some traffic between hosts on these interfaces (ie inside > dmz sub interface or reverse)?


It makes sense that by default the networks on the sub interfaces are seperate - just as they would be in a physical port configuration.

vitripat Wed, 03/28/2007 - 00:55
User Badges:
  • Gold, 750 points or more

Absolutely. If you need to allow hosts on Native interface to be able to ping hosts on the vlan27 interface, we can do so using static/access-lists etc.


On the same link I mentioned earlier, it explains how to permit ICMP traffic through (through because traffic is supposed to pass 2 interfaces and traverse logically through PIX) PIX-


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0


Hope this helps.


Regards,

Vibhor.

hoogen_82 Wed, 03/28/2007 - 04:10
User Badges:
  • Silver, 250 points or more

Hmm.. Once you have enabled the same security intra interface, do you have dynamic nat statements already present in the config? You need to do a no nat configuration to allow access between these hosts.


-Hoogen

Actions

This Discussion