ASA5505 routing issue between vlans on 802.1q trunk

Unanswered Question
Apr 3rd, 2007
User Badges:

We are setting up an ASA5505 with security plus licensing to provide trunking to a catalyst 2950-12 switch. We got the trunking up and working, which passes two vlans, but we cannot get routing to work between the vlans. We have enabled same-security-traff permit inter and intra commands and still no worky.


I found that extended pings, sourcing from the data siv interface to the ip address on the voice svi don't work. I've also made certain that the security level of the two svi's are the same (100). Below are excerpts of the relevant configuration components. Point of comment to add is that there are no interfaces on the ASA in the two vlans other than the trunk port.


int vlan 10

des inside voice

nameif voice

security-level 100

ip address 10.1.1.1 255.255.255.0

int vlan 20

des inside data

nameif data

security-level 100

ip address 10.2.1.1 255.255.255.0


interface Eth0/3

switchport trunk allowed vlan 164-165

switchport mode trunk

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface


Pings from a device on the data vlan (10.2.1.2) on the 2950 switch can ping the data vlan gateway address (asa data svi ip 10.2.1.1), and likewise a device on the voice vlan (10.1.1.2) can ping the voice gateway address (asa svi ip 10.1.1.1)


I've already read this document, to no avail:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html#wp1057200



Thanks,


-Scott


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
swharvey Tue, 04/03/2007 - 17:52
User Badges:

Correction to the allowed vlans on the trunk which is working, they correctly are set to allow vlans 10 and 20 only.


-Scott

David White Tue, 04/03/2007 - 20:07
User Badges:
  • Cisco Employee,

Hi Scott,


Have a look at the syslogs. They should point you to the issue.


Did you apply an ACL to the interface to permit the transit traffic?


Sincerely,


David.

swharvey Wed, 04/04/2007 - 07:59
User Badges:

Hi David,


Sorry to say, but there are no syslogs setup, so that will not be much help. I am consoled onto the ASA5505 and am looking at the logs on the box though, and they are of no help.


I have enabled a permit ip any any and applied it to both the data and voice vlans, and both inbound and outbound. Still no help.


I've event ran a capture command on the voice and data interfaces, and I see the dot1.q statements, but no icmp echo's or echo replies.


I'm open to any other suggestions.


-Scott


David White Wed, 04/04/2007 - 17:14
User Badges:
  • Cisco Employee,

Hi Scott,


Can you paste in the full 5505 config.


Also, enable "debug icmp trace" and then do your ping that is faling.


Also, get the output of "show asp drop" both before the ping and after you test the ping, and send that in.


Finally, verify the src and dst IP that is being used in the ping.


Thanks,


David.

swharvey Wed, 04/04/2007 - 17:55
User Badges:

Hi David,


Attached is the config, and the ping tests with the icmp debugs on and show asp drops. Note that the devices on the outside interface in vlan2 are currently not connected to the device (ospf and other traffic were incrementing the asp drops). The source PC's for the tests are:

Voice Test PC: 10.1.64.0/24 GW: 10.1.64.1

Data Test PC: 10.1.65.20/25 GW: 10.1.65.1


One other point to note is that the only active port in the ASA5505 is Eth0/3, the trunk port, and a "show int" shows int vlan 164 and vlan 165 as up/up. Int vlan 2 shows as down/down (as it should).


Thanks,


-Scott






jgervia_2 Wed, 04/04/2007 - 19:04
User Badges:
  • Bronze, 100 points or more

Hello,


You're probably running into the old ' you can't transit the firewall and ping an interface' issue:


ie: you can't come from the outside and ping the inside interface IP address, or come from the inside and ping the outside IP address. I'd imagine it's the same thing with vlan interfaces (you can't come from one vlan and ping the firewall interface on another vlan) - you'll need to have another device out there if you truly want to test.


--Jason



swharvey Wed, 04/04/2007 - 21:56
User Badges:

Hi Jason,


I hear you and agree, but only to a point. Yes I concur and have seen the very thing you state on our enterprise asa5540' with the ping through but not to the other side of the ASA. But your example does not apply to my situation for the following reasons:


1) I am not pinging from outside to inside, but rather between two inside interface vlans that both have the same security (100) values.


2) Although not shown in my tests I submitted (I had to run before I could show those examples), I have also attempted pings from a 10.1.64.20 device on the voice vlan to a 10.1.65.20 device on the data vlan and get the same failing results.


The "same-security-traffic permit inter-interface" or "intra-interface" commands should allow pings to work for devices connected across the same security level zones (inter), or across the same physical interface (intra) as is the case with the trunked port e0/3.


I appeal to your intellects to look past the initial results and you will see that there is something else that is causing this problem that we are all overlooking.


In essence I am trying to implement a simple, "router on a stick," with the ASA being the router piece.


The switch config is correct, or else I would not be able to ping the data or voice vlan gateway addy's on the ASA from the devices on subnet but in separate vlans on the 2950-12 switch.


My gut instinct is telling me there is an 802.1q encapsulation issue possiblly between vlans on the asa. Any idea how to debug 802.1q on the ASA? Or how to confirm the trunk establishment on the ASA? (2950 IOS command is show trunk interfaces)


Understandably it could be something else entirely.


Please re-review the configuration consider these points about failed pings between devices connected in the separate vlans.


Thanks,


-Scott


David White Wed, 04/04/2007 - 19:41
User Badges:
  • Cisco Employee,

Hi Scott,


Jason's correct. Tests 2 and 3 are invalid - and that is why they are failing. On the ASA, an external host will only be able to ping the closest interface on the ASA.


To validate your config (which is perfectly fine) ping from host 10.1.64.20 to 10.1.65.20 that should work just fine, and show you that the pings are making it through the ASA.


Sincerely,


David.

swharvey Wed, 04/04/2007 - 22:00
User Badges:

Hi David,


Please see my previous posting repsonse to Jason that confirms that pings from a host 10.1.64.20 on the voice vlan fail to ping a host 10.1.65.20 on the data vlan. Please review that thread so we can keep one thread going.


Thx,


-Scott

David White Thu, 04/05/2007 - 07:24
User Badges:
  • Cisco Employee,

Hi Scott,


You are right, something very basic here is not working :-) Unfortunately, we can't see what that is. Therefore, please do the following:


Log onto the ASA via console (or telnet/ssh). Issue:

logging console debug (if logged into console)

logging monitor debug (if logged into telnet/ssh)

logging on

debug icmp trace

terminal monitor

show switch vlan

show switch mac

show interface


Next, get on PC 10.1.64.20 and ping 10.1.65.20


Then, issue another "show interface" and send in all the output.


Thanks,


David.

JOHN SHOEMAKER Wed, 04/30/2008 - 10:05
User Badges:

Hi guys,


I ran into something similar recently. I'm in a hurry to visit a customer now, but I'll post some docs for this later. I found some documentation regarding non-tagged native vlan support on an ASA5505, and likewise, how a 2960 cannot support tagged native vlan. I haven't been able to create a trunk that truly works between the two. The ASA5510 and up have the native vlan command and support non-tagged.


I'm open to anyone who can show it is possible, but I haven't gotten this to work.


There's another thread on this forum discussing the same issue, as well. I'll track it down and post later.

mdaaxcess Thu, 04/05/2007 - 08:29
User Badges:

Hi there,


we'r running a setup like you. Have 6 subinterfaces/vlans all running the same sec.level and it works just fine.


The thing you need to remember is that all the security control is now done by your ACL's only but you still have to NAT between that subinterfaces or do a NAT 0 like we do. We dont want to do NAT between all our subinterfaces s? we have a long NAT 0 ACL on all our subinterfaces.


Works just fine


Martin

Denmark

swharvey Thu, 04/05/2007 - 08:54
User Badges:

Thanks Martin that is good information to know. One important point though, on the ASA5505's you don't use sub interfaces, but rather interface vlans, because unlike all the other model ASA's, the 5505 has switchports. I'm guessing your method of nonatting between interface vlans should work the same way as your configuration with sub interfaces.


I'll give it a try and let you know what I find.


Thanks,


-Scott

Actions

This Discussion