Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
220
Views
0
Helpful
1
Replies

ASA5520 / VLAN / IP Address issue

fatalerror
Level 1
Level 1

‎08-20-2007 01:32 PM - edited ‎03-09-2019 06:39 PM

I ran into a strange problem moving a server from a PIX I was retiring to my ASA.

I currently have 4 untagged VLANs on a Dell 5324 Switch. The Cisco ASA is using 3 interfaces (Outside, DMZ, Inside). The Outside interface of the ASA is on a VLAN with the outside interface of my Pix 505 as well as my internet access from my ISP. The Inside interfaces for both the PIX and ASA are on their own VLANs. The DMZ is on its own VLAN.

I changed the IP address of the server from the inside PIX subnet to an address on my ASA DMZ subnet. I moved the cable from a port on the inside PIX subnet to the DMZ subnet. I removed the PIX from the environment. I cleared the arp cache from the 5324 and on the ASA.

When I plugged the server into the new switch port, all traffic on the VLAN stopped. I thought it was a loop/STP issue, ip conflict, or arp cache issue. I did not get any ip dupe errors on any device or the server. I changed it anways. Once I did this and plugged the server back into the DMZ VLAN traffic to/from server at this point worked. I then created the following NAT rule on the ASA:

static (DMZ,Outside) XX.XX.XX.61 10.112.216.61 netmask 255.255.255.255

As soon as I enter this command, I no longer can route to the internet and vice versa.

I go back and remove the command and place the NAT on a different server using the same address and it translates fine.

I attempted to configure an open interface on the ASA with just the server and still have issues when configuring NAT. I also attempted to swap NICs on the server but that didnt work.

I think it may be my ISP at this point and they need to clear their switch's arp cache.

Labels:
0 Helpful
1 Reply 1

irisrios
Level 6
Level 6

‎08-24-2007 01:24 PM

Yes I think, the problem is that the ASA does not support STP, this feature is only available for switches. So, basically these loops are expected because the STP will not complete having the ASA in there.

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/5500gsg.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents