ASA 5505 Trunk / intervlan routing issue

Unanswered Question
Feb 5th, 2010

Hi there

For one of my Clients I need to setup a network VLAN configuration which exists of an ASA 5505 (security plus license) and a cisco catalyst 2960

I already setup one of the ports of my ASA as trunk and did the same for my catalyst. Now here is my problem. Somehow I don't have intervlan connections. I cannot ping one host from VLAN 1 in VLAN 10 or vice versa. From the console of my switch and ASA however I can ping both my hosts in VLAN 10 and/or VLAN 1 (I left out what's not important concerning trunk setup) For now I only placed one switch port in VLAN 10, all other ports -except for the trunk port and the vlan 10 switch port- are member of Native VLAN 1

I think I'm close but something must be missing in my config. Any help is greatly appreciated. Here's my current setup.

ASA 5505:

ASA Version 7.2(4)
!

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface Vlan3
shutdown
nameif dmz
security-level 50
ip address 192.168.25.254 255.255.255.0
management-only
!
interface Vlan10
nameif voip
security-level 100
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,10
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name yrausquin.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_out extended permit gre any interface outside
access-list acl_out extended permit tcp any interface outside eq pptp
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside eq 995
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu voip 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
nat (voip) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface https 192.168.100.6 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.6 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.6 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.100.4 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 995 192.168.100.6 995 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 201.229.36.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.100.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 15
!
console timeout 0

username itzupport password PkYOuWGiZUe1KFVX encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:80f67be57b3b5dd872601a654635365b
: end
[OK]

SWITCH 2960:

version 12.2
!
!
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
vlan internal allocation policy ascending
vlan 10
name voip
!
!
interface GigabitEthernet0/12
description Port configured as trunk
switchport trunk allowed vlan 1,10
switchport mode trunk
carrier-delay msec 0
speed 100
duplex full

interface Vlan1
ip address 192.168.100.251 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 10.10.10.253 255.255.255.0
no ip route-cache
!

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Fri, 02/05/2010 - 15:27

Hello Edwin,

Did you configure the correct gateway on the PC?

You need a default route on your 2960 to point to the interface of the firewall.

ip route 0.0.0.0 0.0.0.0 192.168.100.248

HTH

Reza

ciscoitzupport Fri, 02/05/2010 - 15:40

Dear Reza,

Could it be that simple? I will give it a try..Unfortunately I remotely disabled the nic which was in vlan 10 when I changed ip settings back to vlan 1, so that will be on Monday

Thnx for now

Reza Sharifi Fri, 02/05/2010 - 15:50

Hello Edwin,

If every thing work on Monday, I would suggest you change VLAN 1 to some other VLAN i.e 100 or 200.  VLAN 1 is usually used for control traffic (LACP, PAGP, VTP, CDP,etc.....) and should not be used for user traffic. Once you change VLAN one to some other VLAN, then shut down VLAN 1 completely

HTH

Reza

ciscoitzupport Fri, 02/05/2010 - 15:53

I read about it and was already considering changing this. However I wanted to make sure I did not overlook s'thing first. If I change this I of course have to place all switch ports in -let's say- VLAN100 right?

Reza Sharifi Fri, 02/05/2010 - 18:12

Yes, that is correct.  If this is a production environment, it is best to do any changes during an outage window.

ciscoitzupport Sat, 02/06/2010 - 08:28

Reza,

I did some research in a lab scenario and used a router on a stick configuration instead of an ASA 5505 for my InterVLAN Routing

The configuration was pretty straight forward (see below). I added PC01 in VLAN 100 (ip address 192.168.100.10/24, gateway 192.168.100.254) and PC02 in VLAN 200 (ip address 192.168.200.10/24, gateway 192.168.200.254). then I tried to ping from PC01 the host PC02 on VLAN 200 and no problem (the other way around worked also like a charm)

What I want to know is this. Why does my 2960 Switch in the real world need an additional default route to point to the interface of the firewall. (as you suggested), but is this not necessary with the router on a stick configuration? I can't figure this out.. Enlight me

Cisco 2620 Router

Reza Sharifi Sat, 02/06/2010 - 17:29

Hi Edwin,

The 2960 is a layer-2 switch.  I know you have multiple SVI configured on this box, but the 2960 can not route. So, in order to get to other subnets, you will need default-gateway pointing to the firewall.  I think in my previous post I wrote default route which in not correct. Only one management svi should be configured on it so you can telnet to the device other then this it is only a layer-2 box.

HTH

Reza

ciscoitzupport Mon, 02/08/2010 - 11:55

Okay Reza

Small update,

I added a default gateway to my 2960 switch configuration.

ip default-gateway 192.168.100.248. Unfortunately no luck. I can see my trunk is up

show interfaces TRUNK

Port Mode Encapsulation Status Native vlan

Gi0/12 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/12 1-10

Port Vlans allowed and active in management domain

Gi0/12 1,10

Port Vlans in spanning tree forwarding state and not pruned

Gi0/12 1,10

I can ping from my switch console to VLAN10 PC Host (10.10.10.237 with gateway 10.10.10.254)

ping 10.10.10.237

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.237, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

As soon as I try this from a host in VLAN1 (for example host 192.168.100.5, gateway 192.168.100.248) I get no response

C:\>ping 10.10.10.237

Pinging 10.10.10.237 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Routing table on this PC:

IPv4 Route Table

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 1d 09 69 45 b9 ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VBD ient)

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.100.248 192.168.100.5 10

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.100.0 255.255.255.0 192.168.100.5 192.168.100.5 10

192.168.100.5 255.255.255.255 127.0.0.1 127.0.0.1 10

192.168.100.255 255.255.255.255 192.168.100.5 192.168.100.5 10

224.0.0.0 240.0.0.0 192.168.100.5 192.168.100.5 10

255.255.255.255 255.255.255.255 192.168.100.5 192.168.100.5 1

Default Gateway: 192.168.100.248

I don't think an access list on my firewall is really necessary since I can ping from my switch console to the vlan 10 gateway interface on my asa (10.10.10.254) Furthermore I think the command same-security-traffic permit inter-interface would make an access-list redundant? I m really stuck here. Funny thing is a router on a stick config works right away. If you need any additional info concerning my license, ios version etc please let me know. I can use all the help I can get

end

sidcracker Mon, 02/22/2010 - 06:21

Hi,

Can anyone help to find a resolution to this post? I would just like to know whats the cause of this problem and update my knowledge. I have tried to understand this scenario but cant get an answer.

Thanks

ciscoitzupport Mon, 02/22/2010 - 06:28

Sidkracker,

I still don't have a solution. As soon as I find one I'll update my case

end

Jerry Ye Mon, 02/22/2010 - 08:17

Do you have logging enabled? If no, can you do the following and post the output of the log for the ping test. I would like to see what is causing it.

conf t

logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational

exit

wri

clear logging buffer

Start your ping from VLAN1 to VLAN10, and post the log.

Regards,

jerry

ciscoitzupport Mon, 02/22/2010 - 13:02

Okay Jerry

I enabled logging on both the switch and the asa (both debugging level)

Syslog entries for switch don't give much info but for the ASA, as I start pinging a host in vlan 10 (ip addres 10.10.10.139) from a host in vlan 100 (ip address 192.168.100.5) the following is logged

02-22-2010 16:24:02 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:08: %ASA-7-609002: Teardown local-host voip:10.10.10.139 duration 0:00:00

02-22-2010 16:24:02 Local4.Error 192.168.100.248 Feb 22 2010 08:54:08: %ASA-3-305005: No translation group found for icmp src inside:192.168.100.5 dst voip:10.10.10.139 (type 8, code 0)

02-22-2010 16:24:02 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:08: %ASA-7-609001: Built local-host voip:10.10.10.139

02-22-2010 16:23:56 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:03: %ASA-7-609002: Teardown local-host voip:10.10.10.139 duration 0:00:00

02-22-2010 16:23:56 Local4.Error 192.168.100.248 Feb 22 2010 08:54:03: %ASA-3-305005: No translation group found for icmp src inside:192.168.100.5 dst voip:10.10.10.139 (type 8, code 0)

02-22-2010 16:23:56 Local4.Debug 192.168.100.248 Feb 22 2010 08:54:03: %ASA-7-609001: Built local-host voip:10.10.10.139

02-22-2010 16:23:51 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:58: %ASA-7-609002: Teardown local-host NP Identity Ifc:10.10.10.254 duration 0:00:02

02-22-2010 16:23:51 Local4.Info 192.168.100.248 Feb 22 2010 08:53:58: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

02-22-2010 16:23:49 Local4.Info 192.168.100.248 Feb 22 2010 08:53:55: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

02-22-2010 16:23:49 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:55: %ASA-7-609001: Built local-host NP Identity Ifc:10.10.10.254

02-22-2010 16:23:45 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:52: %ASA-7-609002: Teardown local-host NP Identity Ifc:10.10.10.254 duration 0:00:02

02-22-2010 16:23:45 Local4.Info 192.168.100.248 Feb 22 2010 08:53:52: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

02-22-2010 16:23:43 Local4.Info 192.168.100.248 Feb 22 2010 08:53:50: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

02-22-2010 16:23:43 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:50: %ASA-7-609001: Built local-host NP Identity Ifc:10.10.10.254

02-22-2010 16:23:40 Local4.Debug 192.168.100.248 Feb 22 2010 08:53:47: %ASA-7-609002: Teardown local-host NP Identity Ifc:10.10.10.254 duration 0:00:02

02-22-2010 16:23:40 Local4.Info 192.168.100.248 Feb 22 2010 08:53:47: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.100.5/512 gaddr 10.10.10.254/0 laddr 10.10.10.254/0

ciscoitzupport Mon, 02/22/2010 - 13:14

I mentioned a few times vlan 100...that should be vlan 1 (native vlan) of course

AxiomConsulting Mon, 02/22/2010 - 08:25

Edwin,

Can you try changing the native VLAN on the trunk configuration...

switchport trunk native vlan

This will ensure that frames are tagged correctly as they pass through the trunk,

Steve


ciscoitzupport Mon, 02/22/2010 - 10:33

AxiomConsulting,

My native LAN is still 100. If I change this now into for example 200 my running network goes down right?

I can do this but only after closing hours

Jeye

Do you mean I should enable logging on my switch or the ASA. Let me know So I can send you some data

end

Jerry Ye Mon, 02/22/2010 - 10:34

Yes, enable logging and let's see what errors or syslog messages when you start your ping.

Regards,

jerry

Jerry Ye Mon, 02/22/2010 - 13:19

Hi Edwin,

First, I am not sure why Netpro is not updating the message. Here is what I got on my email

02-22-2010      16:24:02        Local4.Debug    192.168.100.248 Feb 22 2010 08:54:08: %ASA-7-609001: Built local-host voip:10.10.10.139

02-22-2010      16:23:56        Local4.Debug    192.168.100.248 Feb 22 2010 08:54:03: %ASA-7-609002: Teardown local-host voip:10.10.10.139 duration 0:00:00

02-22-2010      16:23:56        Local4.Error    192.168.100.248 Feb 22 2010 08:54:03: %ASA-3-305005: No translation group found for icmp src inside:192.168.100.5 dst voip:10.10.10.139 (type 8, code 0)


The ASA is trying to NAT and it is missing NAT statement between the inside and voip. You can create a nat(0) or static rule to by pass NAT for traffics between these two interfaces. For static, you can do the following

static (inside,voip) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0
static (voip,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0

HTH,
jerry
ciscoitzupport Mon, 02/22/2010 - 13:52

I guess it will take some time before thread is updated. Okay I added both static rules in my asa and watched syslog results carefully. No more translation errors, but ping response gives me a request time out

(from host 192.168.100.5). As a matter of fact I don't see any entries in my syslog at all that relates to my host 192.168.100.5. Perhaps I should change my logging trap level?

Jerry Ye Mon, 02/22/2010 - 14:23

How do you update your post? Via email? I am doing it via the website and it is working fine on the update.

Hm... interesting. Can you do a clear xlate and try again? I don't think you need to change the logging level, informational is good enough. Can you post the show xlate and show run? Just want to double check.

Regards,

jerry

ciscoitzupport Tue, 02/23/2010 - 05:27

Jerry,

Here we go! Ran a clear xlate. Results show xlate displayed below:

sho xlate
16 in use, 156 most used
Global 192.168.100.0 Local 192.168.100.0
PAT Global 201.229.x.x(443) Local 192.168.100.6(443)
PAT Global 201.229.x.x(80) Local 192.168.100.6(80)
PAT Global 201.229.x.x(25) Local 192.168.100.6(25)
PAT Global 201.229.x.x(1723) Local 192.168.100.4(1723)
PAT Global 201.229.x.x(995) Local 192.168.100.6(995)
Global 10.10.10.0 Local 10.10.10.0
PAT Global 201.229.x.x(56115) Local 192.168.100.123(1560)
PAT Global 201.229.x.x(56090) Local 192.168.100.123(1559)
PAT Global 201.229.x.x(56089) Local 192.168.100.123(1558)
PAT Global 201.229.x.x(56088) Local 192.168.100.123(1557)
PAT Global 201.229.x.x(56085) Local 192.168.100.123(1555)
PAT Global 201.229.x.x(4) Local 192.168.100.4(1723)
PAT Global 201.229.x.x(3) Local 192.168.100.4(13282)
PAT Global 201.229.x.x(56106) Local 192.168.100.8(4647)
PAT Global 201.229.x.x(56092) Local 192.168.100.8(4633)

sho ru

ASA Version 7.2(4)
!
hostname fw-yrausquin
domain-name yrausquin.local
enable password j9QuOQhd05AWLf8v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 201.229.36.18 255.255.255.248
!
interface Vlan3
shutdown
nameif dmz
security-level 50
ip address 192.168.25.254 255.255.255.0
management-only
!
interface Vlan10
nameif voip
security-level 100
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,10
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name yrausquin.local
same-security-traffic permit inter-interface
access-list acl_out extended permit gre any interface outside
access-list acl_out extended permit tcp any interface outside eq pptp
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside eq 995
access-list acl_in extended deny tcp any any eq 135
access-list acl_in extended deny udp any any eq 135
access-list acl_in extended deny tcp any any eq 137
access-list acl_in extended deny udp any any eq netbios-ns
access-list acl_in extended deny tcp any any eq 138
access-list acl_in extended deny udp any any eq netbios-dgm
access-list acl_in extended deny tcp any any eq netbios-ssn
access-list acl_in extended deny udp any any eq 139
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit tcp any any
access-list acl_in extended permit udp any any
access-list acl_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational
logging trap debugging
logging asdm informational
logging host inside 192.168.100.5
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu voip 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
nat (voip) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface https 192.168.100.6 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.6 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.6 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.100.4 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 995 192.168.100.6 995 netmask 255.255.255.255
static (inside,voip) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (voip,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
access-group acl_in in interface inside
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 201.229.36.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.100.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 15
ssh version 1
console timeout 0

username itzupport password PkYOuWGiZUe1KFVX encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a93163309837f207b4c0cb8089c89db5
: end

Jerry Ye Tue, 02/23/2010 - 05:54

Just realized that you have an inbound ACL on the inside interface. Can you add the following and try again (clear logging buffer first)? If it is not working, check the log to see anything is on it.

access-list acl_in extended permit icmp any any

HTH,

jerry

ciscoitzupport Tue, 02/23/2010 - 06:19

Ok Jerry

Expanded access-list with the icmp line. After this I tried a ping from host 192.168.100.5 (vlan1) to host 10.10.10.139 (vlan10)

Pinging 10.10.10.139 with 32 bytes of data:

Reply from 10.10.10.139: bytes=32 time=1ms TTL=128
Reply from 10.10.10.139: bytes=32 time<1ms TTL=128
Reply from 10.10.10.139: bytes=32 time<1ms TTL=128
Reply from 10.10.10.139: bytes=32 time<1ms TTL=128

As you can see...it works! Thnk you so much. I guess this answers my question...problem solved

Jerry Ye Tue, 02/23/2010 - 08:49

Great, glad that solve your problem.

You are actually hitting 2 issues.

1) NAT - because you have NAT control turned, you need to create NAT excemption between voip and inside

2) ACL - since you have inbound acl on the inside interface, you need to permit ICMP because it is not IP/TCP/UDP. If you want to create an ACL for voip later, remember to include ICMP for ping

Regards,

jerry

Actions

This Discussion

Related Content