Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2437
Views
6
Helpful
9
Replies

ASA 5520 Sub Interface problems

Go to solution
jason.scott
Level 1
Level 1

‎03-27-2007 05:27 AM - edited ‎03-11-2019 02:52 AM

Hi All,

Another question :(

On an ASA 5520 I am trying to configure sub interfaces. However was created I am unable to ping that sub interfaces address from anywhere outside of its subnet. The setup is as follows:

GIG0/0 Inside, 10.177.8.41, 255.255.255.248, Native, Security level 100

GIG0/0.27 Test, 10.177.27.240, 255.255.255.0, Vlan 27, Security level 100

GIG0/1 Outside, 1.1.1.1, 255.255.255.248, Native, Security level 0

Configured routes are:

10.177.0.0, 255.255.128.0 > 10.177.8.46

If I ping from a device within the 10.177.27.x subnet I can reach the Test subinterface. If I ping from outside of that subnet (ie from my machine of 10.177.29.251) I get no response. The logs on the ASA show the following:

110003 Routing failed to locate next hop for icmp from Test:10.177.27.240/0 to Test:10.177.29.251/0

On my switch which connects the ASA to the network I have the uplink configured as untagged for the 10.177.8.40 network and tagged for vlan 27 (10.177.27.0/24).

I've looked through the Cisco Press book and the online docs and followed everything mentioned. The behaviour of the failed pings is typical of devices configured without any default gateway. I would imagine the routing on the box should take care of that.

I've also tried enabling communication between interfaces with the same security level or between multiple hosts on the same interface.

Any help greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vitripat
Level 7
Level 7

‎03-27-2007 06:43 PM

Hello Jason,

It seems that issue is neither with the trunking, nor with the bug as mentioned previously on this post.

ASA is behaving as it is expected to. Let me explain.

Test interface connects directly to 10.177.27.0/24 network only. Then you have the route-

10.177.0.0 255.255.128.0 --> 10.177.8.46

Now you are initiating PING from 10.177.29.251, which as per the configuration of ASA is on the Native interface, because the above route points to 10.177.8.46, which is part of the Native interface.

So logically, your host which is on the Native interface, is trying to ping altogether a different interface of ASA. This is simply not possible. ASA does not allow to ping the other side interface from a host on a different interface. Please refer to following link for the same-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown

However, if you requirement is that 10.177.29.251 should be in vlan27, then we need to make configuration changes on the ASA.

Let me know if this explains the bhaviour of ASA. Hope this helps.

Regards,

Vibhor.

View solution in original post

9 Replies 9

Go to solution
DfyAnt
Level 1
Level 1

‎03-27-2007 06:34 AM

You need to setup a trunk between the ASA and a router. Remember, the ASA is not a router and cannot route between vlans.

0 Helpful

Go to solution
abinjola
Cisco Employee
Cisco Employee

‎03-27-2007 06:15 PM

dont scratch your head on this anymore...its not ya fault

Check this bug CSCsd85281

http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl

0 Helpful

Go to solution
jason.scott
Level 1
Level 1
In response to abinjola

‎03-28-2007 12:04 AM

Hrm, that sounds like it should be the cause, however we're running 7.2(10) which I believe includes the fix for this particular bug.

Having said that I would've thought the ASA would return a message stating the packet was denied because of internal policies rather than complaining of a routing issue.

0 Helpful

Go to solution
vitripat
Level 7
Level 7

‎03-27-2007 06:43 PM

Hello Jason,

It seems that issue is neither with the trunking, nor with the bug as mentioned previously on this post.

ASA is behaving as it is expected to. Let me explain.

Test interface connects directly to 10.177.27.0/24 network only. Then you have the route-

10.177.0.0 255.255.128.0 --> 10.177.8.46

Now you are initiating PING from 10.177.29.251, which as per the configuration of ASA is on the Native interface, because the above route points to 10.177.8.46, which is part of the Native interface.

So logically, your host which is on the Native interface, is trying to ping altogether a different interface of ASA. This is simply not possible. ASA does not allow to ping the other side interface from a host on a different interface. Please refer to following link for the same-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#pingsown

However, if you requirement is that 10.177.29.251 should be in vlan27, then we need to make configuration changes on the ASA.

Let me know if this explains the bhaviour of ASA. Hope this helps.

Regards,

Vibhor.

Go to solution
DfyAnt
Level 1
Level 1
In response to vitripat

‎03-27-2007 09:37 PM

I can ping from one interface to another on my firewall. I have icmp enable of course.

By the way, your link is for PIX Software Versions 4.1(6) to 4.2(2).

I dont agree with you.

Go to solution
vitripat
Level 7
Level 7
In response to DfyAnt

‎03-28-2007 12:52 AM

It seems that you have not at all understood what I explained and gave your opinion. First off, we were not talking about pinging the firewalls interfaces from firewall itself. We were talking about pinging firewalls interface from a host on different interface. I hope you understand this now.

Next, it seems that you didnt carefully read the link posted also. Here is a line from the link-

"Components Used

The information in this document is based on PIX Software versions 4.1(6) and later."

This looks very contradictory to your statement- "By the way, your link is for PIX Software Versions 4.1(6) to 4.2(2)."

I hope you are clear on this now. Let me know if you need further clarifications.

Regards,

Vibhor.

0 Helpful

Go to solution
jason.scott
Level 1
Level 1
In response to vitripat

‎03-28-2007 12:01 AM

Thanks Vibhor. I started to think along these lines yesterday and come to the same conclusion. Presumably however if some ACLs were configured I should be able to permit some traffic between hosts on these interfaces (ie inside > dmz sub interface or reverse)?

It makes sense that by default the networks on the sub interfaces are seperate - just as they would be in a physical port configuration.

0 Helpful

Go to solution
vitripat
Level 7
Level 7
In response to jason.scott

‎03-28-2007 12:55 AM

Absolutely. If you need to allow hosts on Native interface to be able to ping hosts on the vlan27 interface, we can do so using static/access-lists etc.

On the same link I mentioned earlier, it explains how to permit ICMP traffic through (through because traffic is supposed to pass 2 interfaces and traverse logically through PIX) PIX-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Hope this helps.

Regards,

Vibhor.

0 Helpful

Go to solution
hoogen_82
Level 4
Level 4
In response to jason.scott

‎03-28-2007 04:10 AM

Hmm.. Once you have enabled the same security intra interface, do you have dynamic nat statements already present in the config? You need to do a no nat configuration to allow access between these hosts.

-Hoogen

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card