ASA connection to router/switch module not working

Unanswered Question
Jul 15th, 2010
User Badges:

I have an ASA 5520 connected via port G0/3 to a 3825 router that hase a fast ethernet switch module installed in it.  I built a vlan interface and assigned port 2/0 to that vlan.


I cannot pass any data thru the firewall from the router nor can I ping the router from the firewall.  I have hard coded the port on the ASA to 100 full and also on the router.


When I connect a PC directly to the ASA I can get out with no problem.  Here is a snapshot of both configurations.


From the router


interface FastEthernet2/0
description ACSB wireless guest VLAN
switchport access vlan 168
duplex full
speed 100


interface Vlan168
ip address 192.168.168.2 255.255.255.0


From the ASA


interface GigabitEthernet0/3
speed 100
duplex full
nameif intf5
security-level 20
ip address 192.168.168.1 255.255.255.0



Any suggestions?  Also, the router is not showing up in the arp table on the ASA but the ASA shows up in the arp table of the router.  Both interfaces are showing up up with no errors.


Seth

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Thu, 07/15/2010 - 08:20
User Badges:
  • Cisco Employee,

Hello,


This looks more like a physical layer issue. Have you tried the interfaces

in auto-negotiation mode? It could be that there is an incompatibility

between the hardware and the firewall is seeing errors when it gets data

from the router. Check the "show interface" output on both devices to see

if you are seeing any CRC errors.


Hope this helps.


Regards,


NT

srosenthal Thu, 07/15/2010 - 10:01
User Badges:

The problem seems to be with the router.  I connected my PC direct to the router on the port the ASA was connected to and I gave myself an IP address in the range of the VLAN.  I cannot ping from the my PC to the VLAN ip address or the other way.


Also when I do a show VLAN command on the router I do not see vlan 168 showing up in the table.  It is in the VLAN database.


Seth

srosenthal Thu, 07/15/2010 - 10:14
User Badges:

I believe I figured it out.  Looks like we need the GE-DCARD-ESW card to be able to router between vlan's.  Since I did not need but one port on this vlan I simply made that port a routed port and did away with the vlan.


Problem solved.


Seth

Nagaraja Thanthry Thu, 07/15/2010 - 10:21
User Badges:
  • Cisco Employee,

Hello,


Can you send the output of "show diag", "show vlan" and also "show run"?


Regards,


NT

Actions

This Discussion