Inter VLAN Routing with ASA 5520 and Cat 2960

Answered Question
Jul 27th, 2010

Hi there,

I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).

As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other.  The attached screenshot shows the topology.

I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs.  Any assistance would be greatly appreciated.

ROUTER CONFIG:

ciscoasa#
ciscoasa# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name null
enable password ###### encrypted
passwd ###### encrypted
names
dns-guard
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.20
vlan 20
nameif vlan20
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/1.30
vlan 30
nameif vlan30
security-level 100
ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name null
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan10 1500
mtu vlan20 1500
mtu vlan30 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.5 inside
dhcpd enable inside
!
dhcpd address 10.10.10.101-10.10.10.253 vlan10
dhcpd enable vlan10
!
dhcpd address 10.10.20.101-10.10.20.253 vlan20
dhcpd enable vlan20
!
dhcpd address 10.10.30.101-10.10.30.253 vlan30
dhcpd enable vlan30
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4ad1bba72f1f51b2a47e8cacb9d3606a
: end

SWITCH CONFIG

Switch#show run
Building configuration...

Current configuration : 2543 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/1
description Port Configured As Trunk
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface Vlan1
ip address 10.10.1.2 255.255.255.0
no ip route-cache
!
interface Vlan10
no ip address
no ip route-cache
!
interface Vlan20
no ip address
no ip route-cache
!
interface Vlan30
no ip address
no ip route-cache
!
ip default-gateway 10.10.1.1
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 5 15
!
end

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
dreweharris Tue, 07/27/2010 - 08:41

Switch#show int gi0/1 trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1,10,20,30,1002-1005

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20,30

dreweharris Tue, 07/27/2010 - 08:52

Thanks for helping, by the way...

Switch#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                Gi0/21, Gi0/22, Gi0/23, Gi0/24
                                                Gi0/25, Gi0/26, Gi0/27, Gi0/28
                                                Gi0/29, Gi0/30, Gi0/31, Gi0/32
                                                Gi0/33, Gi0/34, Gi0/35, Gi0/36
                                                Gi0/37, Gi0/38, Gi0/39, Gi0/40
                                                Gi0/41, Gi0/42, Gi0/43, Gi0/44
                                                Gi0/45, Gi0/46, Gi0/47, Gi0/48
10   public                           active    Gi0/2
20   atd                              active    Gi0/3
30   VLAN0030                         active    Gi0/4
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
30   enet  100030     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Switch#show int status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     Port Configured As connected    trunk      a-full a-1000 10/100/1000Ba
seTX
Gi0/2                        notconnect   10           auto   auto 10/100/1000Ba
seTX
Gi0/3                        notconnect   20           auto   auto 10/100/1000Ba
seTX
Gi0/4                        notconnect   30           auto   auto 10/100/1000Ba
seTX
Gi0/5                        notconnect   1            auto   auto 10/100/1000Ba
seTX
Gi0/6                        notconnect   1            auto   auto 10/100/1000Ba
seTX
Gi0/7                        notconnect   1            auto   auto 10/100/1000Ba
seTX
Gi0/8                        notconnect   1            auto   auto 10/100/1000Ba
seTX
Gi0/9                        notconnect   1            auto   auto 10/100/1000Ba
seTX
Gi0/10                       notconnect   1            auto   auto 10/100/1000Ba
seTX

When I ran the command, no workstations were plugged in...

Sure - np

OK - looking at the below you have a physical issue, let me explain:-

Switch#show int status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     Port Configured As connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/2                        notconnect   10           auto   auto 10/100/1000BaseTX
Gi0/3                        notconnect   20           auto   auto 10/100/1000BaseTX
Gi0/4                        notconnect   30           auto   auto 10/100/1000BaseTX

The switch either has nothing connected to the ports, you have 3 x fault cables or the 3 devices are not powered up.

Check your physicals.

HTH>

dreweharris Tue, 07/27/2010 - 09:12

The reason for that is that I had nothing plugged in at the time I ran the command.  When I plug in a workstation, it says "connected" for the status of the port....

Still can't ping 10.10.1.1 from the workstation.

August Ritchie Tue, 07/27/2010 - 09:28

I see you grabbed a show int from the switch, but what about from the ASA?

Can you grab "sh int gi0/1"

What about pinging from the ASA, can you ping the device in vlan10 from the ASA? Before you do, issue this:

capture cap10 interface vlan10

Then ping

then issue:

show cap cap10

dreweharris Tue, 07/27/2010 - 09:37

No problem...

ciscoasa# show int gi0/1
Interface GigabitEthernet0/1 "", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address 5475.d0ba.46bb, MTU not set
        IP address 10.10.1.1, subnet mask 255.255.255.0
        4378 packets input, 467527 bytes, 0 no buffer
        Received 2715 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        30 L2 decode drops
        284 packets output, 25672 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 2 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/253)
        output queue (blocks free curr/low): hardware (255/253)

Instead of vlan10, I have a laptop (10.10.20.101) plugged into the vlan20 port.

ciscoasa# capture cap10 interface vlan20
ciscoasa# ping 10.10.20.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa# show cap cap10

27 packets captured

   1: 16:33:08.777334 802.1Q vlan#20 P0 10.10.20.101.137 > 74.55.74.138.137:  ud
p 50
   2: 16:33:09.381541 802.1Q vlan#20 P0 10.10.20.101 > 10.10.20.1: icmp: echo re
quest
   3: 16:33:09.381770 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
ply
   4: 16:33:10.271180 802.1Q vlan#20 P0 10.10.20.101.137 > 74.55.74.138.137:  ud
p 50
   5: 16:33:10.331159 802.1Q vlan#20 P0 10.10.20.101.10368 > 10.10.20.1.8905:  u
dp 105
   6: 16:33:11.771337 802.1Q vlan#20 P0 10.10.20.101.137 > 74.55.74.138.137:  ud
p 50
   7: 16:33:14.381816 802.1Q vlan#20 P0 10.10.20.101 > 10.10.20.1: icmp: echo re
quest
   8: 16:33:14.382045 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
ply
   9: 16:33:15.331678 802.1Q vlan#20 P0 10.10.20.101.10369 > 10.10.20.1.8905:  u
dp 103
  10: 16:33:18.466925 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
quest

However, when workstation 10.10.20.101 tries to ping the ASA (10.10.1.1), "Destination host unreachable" is the message...

Thanks,

Drew

August Ritchie Tue, 07/27/2010 - 09:44

Well you won't be able to ping that IP address, in fact you shouldn't have an IP address on that interface at all really. Your real testing should pretty much be from host on 1 vlan to the host on the other. You won't be able to ping any IP address on the ASA except the one you are directly behind. So for 10.10.20.101 that means the only pingable ASA IP will be 10.10.20.1

dreweharris Tue, 07/27/2010 - 10:10

That is good to know.  So here are the current symptoms...

I have three laptops plugged in...one in each vlan port.

10.10.10.101 --> Can ping 10.10.20.101, but not 10.10.30.101

10.10.20.101 --> Cannot ping either 10.10.10.101 or 10.10.30.101

10.10.30.101 --> Cannot ping 10.10.10.101, but can ping 10.10.20.101

Each laptop can ping its direct gateway on the ASA.

August Ritchie Tue, 07/27/2010 - 10:16

Hmm, can you double check the default gateway on 10.10.20.101?

also try this...

no cap cap10

capture cap10 interface vlan10

capture cap20 interface vlan20

Then ping from host on vlan10 to host on vlan20

Then get the outputs of "show cap cap10" and "show cap cap20"

dreweharris Tue, 07/27/2010 - 10:40

ciscoasa# capture cap10 interface vlan10

ciscoasa# capture cap20 interface vlan20

ciscoasa# show cap cap10

97 packets captured

   1: 17:32:32.541262 802.1Q vlan#10 P0 10.10.10.101.2461 > 10.10.10.1.8905:  ud
p 96
   2: 17:32:36.741294 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
   3: 17:32:36.741523 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
   4: 17:32:37.539217 802.1Q vlan#10 P0 10.10.10.101.2462 > 10.10.10.1.8905:  ud
p 98
   5: 17:32:39.104914 802.1Q vlan#10 P0 10.10.10.101.2463 > 10.12.5.64.8906:  ud
p 95
   6: 17:32:41.738914 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
   7: 17:32:41.739143 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
   8: 17:32:42.544023 802.1Q vlan#10 P0 10.10.10.101.2464 > 10.10.10.1.8905:  ud
p 93
   9: 17:32:46.747352 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  10: 17:32:46.747580 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  11: 17:32:47.546633 802.1Q vlan#10 P0 10.10.10.101.2465 > 10.10.10.1.8905:  ud
p 98
  12: 17:32:51.739921 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  13: 17:32:51.740150 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  14: 17:32:52.544100 802.1Q vlan#10 P0 10.10.10.101.2466 > 10.10.10.1.8905:  ud
p 98
  15: 17:32:56.741859 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  16: 17:32:56.742088 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  17: 17:32:57.547396 802.1Q vlan#10 P0 10.10.10.101.2467 > 10.10.10.1.8905:  ud
p 98
  18: 17:33:01.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  19: 17:33:01.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  20: 17:33:02.547609 802.1Q vlan#10 P0 10.10.10.101.2468 > 10.10.10.1.8905:  ud
p 97
  21: 17:33:06.742774 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  22: 17:33:06.743018 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  23: 17:33:07.543337 802.1Q vlan#10 P0 10.10.10.101.2469 > 10.10.10.1.8905:  ud
p 93
  24: 17:33:10.375514 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
p 50
  25: 17:33:11.114679 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
p 50
  26: 17:33:11.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  27: 17:33:11.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  28: 17:33:11.864731 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
p 50
  29: 17:33:12.546266 802.1Q vlan#10 P0 10.10.10.101.2470 > 10.10.10.1.8905:  ud
p 98
  30: 17:33:16.746497 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  31: 17:33:16.746726 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  32: 17:33:17.548403 802.1Q vlan#10 P0 10.10.10.101.2471 > 10.10.10.1.8905:  ud
p 97
  33: 17:33:21.744880 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  34: 17:33:21.745109 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  35: 17:33:22.545351 802.1Q vlan#10 P0 10.10.10.101.2472 > 10.10.10.1.8905:  ud
p 95
  36: 17:33:23.785558 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
p 50
  37: 17:33:24.522464 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
p 50
  38: 17:33:25.272568 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
p 50
  39: 17:33:26.744926 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  40: 17:33:26.745154 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  41: 17:33:27.548708 802.1Q vlan#10 P0 10.10.10.101.2473 > 10.10.10.1.8905:  ud
p 96
  42: 17:33:31.749625 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  43: 17:33:31.749854 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  44: 17:33:32.550096 802.1Q vlan#10 P0 10.10.10.101.2474 > 10.10.10.1.8905:  ud
p 97
  45: 17:33:36.748343 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  46: 17:33:36.748572 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  47: 17:33:37.546251 802.1Q vlan#10 P0 10.10.10.101.2475 > 10.10.10.1.8905:  ud
p 95
  48: 17:33:41.745566 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  49: 17:33:41.745795 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  50: 17:33:42.547975 802.1Q vlan#10 P0 10.10.10.101.2476 > 10.10.10.1.8905:  ud
p 97
  51: 17:33:46.747855 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  52: 17:33:46.748084 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  53: 17:33:47.548403 802.1Q vlan#10 P0 10.10.10.101.2477 > 10.10.10.1.8905:  ud
p 94
  54: 17:33:51.747718 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  55: 17:33:51.747931 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  56: 17:33:52.547670 802.1Q vlan#10 P0 10.10.10.101.2478 > 10.10.10.1.8905:  ud
p 97
  57: 17:33:54.134239 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  58: 17:33:56.750678 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  59: 17:33:56.750891 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  60: 17:33:57.563035 802.1Q vlan#10 P0 10.10.10.101.2479 > 10.10.10.1.8905:  ud
p 97
  61: 17:33:59.245272 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  62: 17:34:01.752188 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  63: 17:34:01.752402 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  64: 17:34:01.995737 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
dp 49
  65: 17:34:01.995813 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
dp 34
  66: 17:34:01.995950 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
dp 49
  67: 17:34:01.996011 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
dp 34
  68: 17:34:01.996118 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
  69: 17:34:01.996179 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
  70: 17:34:02.551836 802.1Q vlan#10 P0 10.10.10.101.2480 > 10.10.10.1.8905:  ud
p 98
  71: 17:34:03.011306 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
dp 49
  72: 17:34:03.011367 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
dp 34
  73: 17:34:03.011443 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
dp 49
  74: 17:34:03.011489 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
dp 34
  75: 17:34:03.011550 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
  76: 17:34:03.011596 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
  77: 17:34:04.027037 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
dp 49
  78: 17:34:04.027082 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
dp 34
  79: 17:34:04.027174 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
dp 49
  80: 17:34:04.027250 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
dp 34
  81: 17:34:04.027311 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
  82: 17:34:04.027357 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
  83: 17:34:04.745811 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  84: 17:34:06.058514 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
dp 49
  85: 17:34:06.058605 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
dp 34
  86: 17:34:06.058651 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
dp 49
  87: 17:34:06.058712 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
dp 34
  88: 17:34:06.058758 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
  89: 17:34:06.058819 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
  90: 17:34:06.750907 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  91: 17:34:06.751151 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  92: 17:34:07.552751 802.1Q vlan#10 P0 10.10.10.101.2481 > 10.10.10.1.8905:  ud
p 96
  93: 17:34:11.752082 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  94: 17:34:11.752326 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  95: 17:34:12.553392 802.1Q vlan#10 P0 10.10.10.101.2482 > 10.10.10.1.8905:  ud
p 96
  96: 17:34:16.755438 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
  97: 17:34:16.755682 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
  98: 17:34:17.554811 802.1Q vlan#10 P0 10.10.10.101.2483 > 10.10.10.1.8905:  ud
p 97
  99: 17:34:21.751303 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
100: 17:34:21.751563 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
101: 17:34:22.552034 802.1Q vlan#10 P0 10.10.10.101.2484 > 10.10.10.1.8905:  ud
p 95
102: 17:34:26.753989 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
103: 17:34:26.754218 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
104: 17:34:27.560334 802.1Q vlan#10 P0 10.10.10.101.2485 > 10.10.10.1.8905:  ud
p 98
105: 17:34:31.755499 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
106: 17:34:31.755728 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
107: 17:34:32.563950 802.1Q vlan#10 P0 10.10.10.101.2486 > 10.10.10.1.8905:  ud
p 95
107 packets shown

ciscoasa# show cap cap20

92 packets captured

   1: 17:26:53.653378 802.1Q vlan#20 P0 10.10.20.101.1187 > 216.49.94.13.80: S 8
20343450:820343450(0) win 65535
   2: 17:27:12.019133 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
   3: 17:27:17.214481 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
   4: 17:27:55.593688 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
   5: 17:27:58.555284 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
   6: 17:28:04.564790 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
   7: 17:29:06.504856 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101

   8: 17:29:06.504917 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
6:bb
   9: 17:29:06.505222 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
  10: 17:29:09.467032 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
  11: 17:29:15.476537 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
  12: 17:30:17.417245 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
  13: 17:30:18.156043 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  14: 17:30:20.378688 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
  15: 17:30:23.220356 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  16: 17:30:26.388102 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
  17: 17:30:28.721047 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  18: 17:30:34.222507 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  19: 17:33:43.156928 802.1Q vlan#20 P0 arp who-has 10.10.20.101 tell 10.10.20.1
01
  20: 17:33:44.187002 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101

  21: 17:33:44.187047 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
6:bb
  22: 17:33:44.187261 802.1Q vlan#20 P0 10.10.20.101 > 10.10.20.1: icmp: echo re
quest
  23: 17:33:44.187520 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
ply
  24: 17:33:44.239016 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  25: 17:33:44.327360 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
  26: 17:33:44.989740 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  27: 17:33:45.150611 802.1Q vlan#20 P0 10.10.20.101.6646 > 10.10.20.255.6646:
udp 236
  28: 17:33:45.331312 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
  29: 17:33:45.740943 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  30: 17:33:46.331892 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
  31: 17:33:46.492131 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  32: 17:33:47.243502 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  33: 17:33:47.994501 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  34: 17:33:48.335050 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
  35: 17:33:48.335141 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
  36: 17:33:48.745658 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  37: 17:33:49.496861 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  38: 17:33:50.248812 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  39: 17:33:50.249300 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  40: 17:33:50.999170 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  41: 17:33:50.999246 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  42: 17:33:51.750342 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  43: 17:33:51.750418 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  44: 17:33:52.341336 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
  45: 17:33:52.341474 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
  46: 17:33:52.501576 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  47: 17:33:52.501652 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  48: 17:33:53.254183 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 174
  49: 17:33:53.254320 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 204
  50: 17:33:54.134361 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  51: 17:33:54.755118 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 174
  52: 17:33:54.823535 802.1Q vlan#20 P0 10.120.2.198.1261 > 161.69.12.13.443: R
250934743:250934743(0) ack 2427374744 win 0
  53: 17:33:54.823901 802.1Q vlan#20 P0 10.120.2.198.1262 > 161.69.12.13.443: R
3313764765:3313764765(0) ack 1397588942 win 0
  54: 17:33:54.824618 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
  55: 17:33:56.257448 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 174
  56: 17:33:57.759833 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 174
  57: 17:33:57.779729 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
  58: 17:33:59.245394 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  59: 17:33:59.262178 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 186
  60: 17:34:00.263780 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 186
  61: 17:34:01.265382 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 186
  62: 17:34:02.266908 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 186
  63: 17:34:03.268540 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  64: 17:34:03.789189 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
  65: 17:34:04.019591 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  66: 17:34:04.745933 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
  67: 17:34:04.770757 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  68: 17:34:05.521991 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  69: 17:34:06.273209 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  70: 17:34:07.024367 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  71: 17:34:07.775518 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  72: 17:34:08.526706 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 68
  73: 17:34:09.277939 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 174
  74: 17:34:09.278061 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 174
  75: 17:34:09.278702 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
p 204
  76: 17:34:15.810489 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
  77: 17:34:16.809726 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
  78: 17:34:17.811222 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
  79: 17:34:19.814349 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
  80: 17:34:19.814380 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
  81: 17:34:23.820682 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
  82: 17:34:23.820788 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
  83: 17:34:30.822924 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 50
  84: 17:34:31.572892 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 50
  85: 17:34:32.324079 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
p 50
  86: 17:34:33.083079 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
  87: 17:34:34.077007 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
  88: 17:34:35.078639 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
  89: 17:34:37.081584 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
  90: 17:34:37.081706 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
  91: 17:34:41.087809 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
  92: 17:34:41.087840 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
92 packets shown

August Ritchie Tue, 07/27/2010 - 10:59

I see a few of them go all the way through, but no echo replies from 10.10.20.101

Does this have a windows firewall on?

Can you install wireshark on that PC and see if you are receiving any icmps?

From vlan 10 cap

57: 17:33:54.134239 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo request

61: 17:33:59.245272 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo request

83: 17:34:04.745811 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo request

From vlan 20 cap

2: 17:27:12.019133 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo request

3: 17:27:17.214481 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo request

13: 17:30:18.156043 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo request

15: 17:30:23.220356 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo request

dreweharris Tue, 07/27/2010 - 11:15

see attached screenshot (from 10.10.20.101 wireshark).  i did a ping from 10.10.10.101 to ...20.101 and used wireshark on ...20.101 to do capture.

Attachment: 
August Ritchie Tue, 07/27/2010 - 11:23

ICMPs are definitely being received, so it looks like the firewall is sending them through okay.

We see that the PC doing wireshark never responds.

Usually this indicates a firewall on the client, or other client related issue.

dreweharris Tue, 07/27/2010 - 12:05

August,

Firewalls are disabled on both hosts.  It seems to me that the destination host does not know where to send the reply packet to.

I found this in the log.

6Jul 27 201018:31:5611000210.10.10.1011919

Failed to locate egress interface for UDP from vlan10:10.10.10.101/1919 to 10.12.5.64/8906

But research on the error didn't lead me to anything specific...

Any clue?

-Drew

August Ritchie Tue, 07/27/2010 - 12:15

That seems to be unrelated to the traffic that we are interested in.

What happens when you try the ping the other way, and this time lets get some more specific captures.

access-list capture permit icmp host 10.10.20.101 host 10.10.10.101

access-list capture permit icmp host 10.10.10.101 host 10.10.20.101

no cap cap10

no cap cap20

cap cap10 access-list capture interface vlan10

cap cap20 access-list capture interface vlan20

And try the wireshark again on that PC. And try to ping the other way.

dreweharris Tue, 07/27/2010 - 12:39

note:  IP of vlan10 host was 10.10.10.103 for this exercise...

See attachment for wireshark screen capture and see below for captures...

ciscoasa(config)# show cap cap10

4 packets captured

   1: 19:32:54.264085 802.1Q vlan#10 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
   2: 19:32:59.482381 802.1Q vlan#10 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
   3: 19:33:04.490407 802.1Q vlan#10 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
   4: 19:33:09.498249 802.1Q vlan#10 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
4 packets shown


ciscoasa(config)# show cap cap20

4 packets captured

   1: 19:32:54.263963 802.1Q vlan#20 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
   2: 19:32:59.482274 802.1Q vlan#20 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
   3: 19:33:04.490285 802.1Q vlan#20 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
   4: 19:33:09.498127 802.1Q vlan#20 P0 10.10.20.101 > 10.10.10.103: icmp: echo
request
4 packets shown
ciscoasa(config)#

Attachment: 
August Ritchie Tue, 07/27/2010 - 12:50

I think the 2960 can have multiple active SVIs, if so can you put an IP address on vlan 20?

interface Vlan20

ip address 10.10.20.X

And then change the default gateway like so?

ip default-gateway 10.10.20.1

From there can you try pinging using the switches IP address instead of the host 10.10.20.101?

Warning*** Changing your default gateway may cause issues with management if you are not directly connected.

dreweharris Wed, 07/28/2010 - 05:45

No worries...

I'll just type the info as oppose to uploading screenshots.

IP:  10.10.20.101

Subnet Mask:  255.255.255.0

Default Gateway:  10.10.20.1

DHCP Server:  10.10.20.1

IP:  10.10.10.101

Subnet Mask:  255.255.255.0

Default Gateway:  10.10.10.1

DHCP Server:  10.10.10.1

dreweharris Wed, 07/28/2010 - 06:33

That is indeed correct.  The machine had a firewall running, and upon disabling, replies were successfully sent back to host 10.10.10.104.

It would appear that things are working now.

Thanks so much for your help.

Drew

HI,

I am trying to configure inter-vlan routing on ASA 5510 with 2960.but its not working.can anyone help me wit this.

Please find the below config:

Firewall ASA 5510:

sh run

: Saved

:

ASA Version 8.4(3)

!

hostname ciscoasa

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet0/1

nameif vlan1

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/1.1

vlan 2

nameif vlan2

security-level 100

ip address 10.1.2.1 255.255.255.0

!

<--- More --->

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

no nameif

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network vlan1

network-object 10.1.1.0 255.255.255.0

object-group network vlan2

network-object 10.1.2.0 255.255.255.0

<--- More --->

access-list vlan1 extended permit icmp any any

access-list vlan1 extended permit ip any any

access-list vlan2 extended permit icmp any any

access-list vlan2 extended permit ip any any

access-list outside extended permit icmp any any

pager lines 24

mtu outside 1500

mtu vlan1 1500

mtu vlan2 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

<--- More --->

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

<--- More --->

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

<--- More --->

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:52f97ea946ae6539626539485aa7493a


2960 Switch config:

sh run

Building configuration...

Current configuration : 3207 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

enable password password

!

!

!

no aaa new-model

!

!

!

!

--More--                           crypto pki trustpoint TP-self-signed-3216298752

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3216298752

revocation-check none

rsakeypair TP-self-signed-3216298752

!

!

crypto pki certificate chain TP-self-signed-3216298752

certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323136 32393837 3532301E 170D3933 30333031 30303031

  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313632

  39383735 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C41D F4CC20D6 16C14D35 8FF8AF2D CB7E7C0D A29491DA 5482730D 65DBBE02

  FE7C16D3 6D24FB70 40727A68 2DF92EFE 3AF26447 3709DBE7 EF94B099 D7410E3A

  7063C7A1 071B39C9 D4900935 306C374F 9EE7A8E4 019C63FE 8DB31445 9CC4F75D

  BC9A281A 393FE6DB 0F5BF397 4FEB9B97 65A2B627 BDD9E46B 4A0817D0 35B38DB8

  B0150203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603

  551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 14B2C440

  43B407D0 4105B120 F2EADF80 A4E001A2 35301D06 03551D0E 04160414 B2C44043

  B407D041 05B120F2 EADF80A4 E001A235 300D0609 2A864886 F70D0101 04050003

--More--                             818100AA A8E187B7 77B10879 8B105B2F 5370D0B0 78233E54 533DA505 20694301

  C04D082E 07287DA7 C937B9C6 5360F92D 33C24B49 51179E2F 92435808 79147AA1

  EDDDC80B 04DE9C52 8A720DA8 E3CD277F E0BF3B2C A0091995 013D769D 634FDEE6

  E67CA6D1 A155C269 F43F4F74 682755BC 7ABC324F D850DB1C 67018B51 29B0327D 816B77

  quit

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

vlan internal allocation policy ascending

!

!

interface FastEthernet0

no ip address

!

interface GigabitEthernet0/1

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 2

switchport mode access

--More--                           !

interface GigabitEthernet0/3

switchport mode trunk

!

interface GigabitEthernet0/4

!

interface GigabitEthernet0/5

!

interface GigabitEthernet0/6

!

interface GigabitEthernet0/7

!

interface GigabitEthernet0/8

!

interface GigabitEthernet0/9

!

interface GigabitEthernet0/10

!

interface GigabitEthernet0/11

!

interface GigabitEthernet0/12

!

interface GigabitEthernet0/13

--More--                           !

interface GigabitEthernet0/14

!

interface GigabitEthernet0/15

!

interface GigabitEthernet0/16

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

!

interface GigabitEthernet0/22

!

interface GigabitEthernet0/23

!

interface GigabitEthernet0/24

!

--More--                           interface GigabitEthernet0/25

!

interface GigabitEthernet0/26

!

interface Vlan1

ip address 10.1.1.2 255.255.255.0

!

interface Vlan2

no ip address

!

ip default-gateway 10.1.1.1

ip http server

ip http secure-server

!

line con 0

line vty 0 4

password password

login

line vty 5 15

password password

login

!

end

--More--                          


Actions

This Discussion