03-27-2007 05:27 AM - edited 03-11-2019 02:52 AM
Hi All,
Another question :(
On an ASA 5520 I am trying to configure sub interfaces. However was created I am unable to ping that sub interfaces address from anywhere outside of its subnet. The setup is as follows:
GIG0/0 Inside, 10.177.8.41, 255.255.255.248, Native, Security level 100
GIG0/0.27 Test, 10.177.27.240, 255.255.255.0, Vlan 27, Security level 100
GIG0/1 Outside, 1.1.1.1, 255.255.255.248, Native, Security level 0
Configured routes are:
10.177.0.0, 255.255.128.0 > 10.177.8.46
If I ping from a device within the 10.177.27.x subnet I can reach the Test subinterface. If I ping from outside of that subnet (ie from my machine of 10.177.29.251) I get no response. The logs on the ASA show the following:
110003 Routing failed to locate next hop for icmp from Test:10.177.27.240/0 to Test:10.177.29.251/0
On my switch which connects the ASA to the network I have the uplink configured as untagged for the 10.177.8.40 network and tagged for vlan 27 (10.177.27.0/24).
I've looked through the Cisco Press book and the online docs and followed everything mentioned. The behaviour of the failed pings is typical of devices configured without any default gateway. I would imagine the routing on the box should take care of that.
I've also tried enabling communication between interfaces with the same security level or between multiple hosts on the same interface.
Any help greatly appreciated.
Solved! Go to Solution.
03-27-2007 06:43 PM
Hello Jason,
It seems that issue is neither with the trunking, nor with the bug as mentioned previously on this post.
ASA is behaving as it is expected to. Let me explain.
Test interface connects directly to 10.177.27.0/24 network only. Then you have the route-
10.177.0.0 255.255.128.0 --> 10.177.8.46
Now you are initiating PING from 10.177.29.251, which as per the configuration of ASA is on the Native interface, because the above route points to 10.177.8.46, which is part of the Native interface.
So logically, your host which is on the Native interface, is trying to ping altogether a different interface of ASA. This is simply not possible. ASA does not allow to ping the other side interface from a host on a different interface. Please refer to following link for the same-
However, if you requirement is that 10.177.29.251 should be in vlan27, then we need to make configuration changes on the ASA.
Let me know if this explains the bhaviour of ASA. Hope this helps.
Regards,
Vibhor.
03-27-2007 06:34 AM
You need to setup a trunk between the ASA and a router. Remember, the ASA is not a router and cannot route between vlans.
03-27-2007 06:15 PM
dont scratch your head on this anymore...its not ya fault
Check this bug CSCsd85281
03-28-2007 12:04 AM
Hrm, that sounds like it should be the cause, however we're running 7.2(10) which I believe includes the fix for this particular bug.
Having said that I would've thought the ASA would return a message stating the packet was denied because of internal policies rather than complaining of a routing issue.
03-27-2007 06:43 PM
Hello Jason,
It seems that issue is neither with the trunking, nor with the bug as mentioned previously on this post.
ASA is behaving as it is expected to. Let me explain.
Test interface connects directly to 10.177.27.0/24 network only. Then you have the route-
10.177.0.0 255.255.128.0 --> 10.177.8.46
Now you are initiating PING from 10.177.29.251, which as per the configuration of ASA is on the Native interface, because the above route points to 10.177.8.46, which is part of the Native interface.
So logically, your host which is on the Native interface, is trying to ping altogether a different interface of ASA. This is simply not possible. ASA does not allow to ping the other side interface from a host on a different interface. Please refer to following link for the same-
However, if you requirement is that 10.177.29.251 should be in vlan27, then we need to make configuration changes on the ASA.
Let me know if this explains the bhaviour of ASA. Hope this helps.
Regards,
Vibhor.
03-27-2007 09:37 PM
I can ping from one interface to another on my firewall. I have icmp enable of course.
By the way, your link is for PIX Software Versions 4.1(6) to 4.2(2).
I dont agree with you.
03-28-2007 12:52 AM
It seems that you have not at all understood what I explained and gave your opinion. First off, we were not talking about pinging the firewalls interfaces from firewall itself. We were talking about pinging firewalls interface from a host on different interface. I hope you understand this now.
Next, it seems that you didnt carefully read the link posted also. Here is a line from the link-
"Components Used
The information in this document is based on PIX Software versions 4.1(6) and later."
This looks very contradictory to your statement- "By the way, your link is for PIX Software Versions 4.1(6) to 4.2(2)."
I hope you are clear on this now. Let me know if you need further clarifications.
Regards,
Vibhor.
03-28-2007 12:01 AM
Thanks Vibhor. I started to think along these lines yesterday and come to the same conclusion. Presumably however if some ACLs were configured I should be able to permit some traffic between hosts on these interfaces (ie inside > dmz sub interface or reverse)?
It makes sense that by default the networks on the sub interfaces are seperate - just as they would be in a physical port configuration.
03-28-2007 12:55 AM
Absolutely. If you need to allow hosts on Native interface to be able to ping hosts on the vlan27 interface, we can do so using static/access-lists etc.
On the same link I mentioned earlier, it explains how to permit ICMP traffic through (through because traffic is supposed to pass 2 interfaces and traverse logically through PIX) PIX-
Hope this helps.
Regards,
Vibhor.
03-28-2007 04:10 AM
Hmm.. Once you have enabled the same security intra interface, do you have dynamic nat statements already present in the config? You need to do a no nat configuration to allow access between these hosts.
-Hoogen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide