08-30-2010 11:43 PM - edited 03-11-2019 11:32 AM
Hi,
My ASA 5520 is version 8.2(1).
I configured two subinterfaces:
interface GigabitEthernet0/3.1
vlan 272
nameif WN
security-level 50
ip address 10.227.2.254 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3.2
vlan 275
nameif WN275
security-level 50
ip address 10.227.5.254 255.255.255.0
ospf cost 10
!
Users in vlan 272 work fine, but users in vlan 275 can't even ping the gateway 10.227.5.254.
I can't find anything wrong. Only one strange thing I noticed when I do a "sh int ip bri" is the METHOD is different, see below. For Gi0/3.2 it is "manual", rather than "config".
GigabitEthernet0/3.1 10.227.2.254 YES CONFIG up up
GigabitEthernet0/3.2 10.227.5.254 YES manual up up
I guess if I can get that "manual" changed to "config", I will have a better chance to get vlan275 to work.
How can I do that? Why it is "manual"?
Thanks heaps.
Adam
08-31-2010 01:50 AM
The switch port that connects to the ASA interface gig0/3, I believe is a trunk port (dot1q), and please make sure that you allow VLAN 275 in that trunk port, and you also have VLAN 275 in your vlan database.
Would also like to find out if there is any ICMP policy configured on the ASA that might be blocking ping. Pls check "sh run icmp" output.
08-31-2010 07:14 PM
"Switchport trunk allowed vlan add 275" fixed the problem.
Thanks a lot Halijenn.
Adam
08-31-2010 06:26 AM
Hello,
What is the native vlan on that trunk? If the native vlan is 275, then
change the native vlan to something that is not used in the network (say
900). Since there is no native vlan concept in the firewall subinterface, it
will expect all packets to be tagged for the subinterfaces.
Hope this helps.
Regards,
NT
08-31-2010 07:48 PM
With regards to the "CONFIG" and "manual" keywords,
GigabitEthernet0/3.1 10.227.2.254 YES CONFIG up up
GigabitEthernet0/3.2 10.227.5.254 YES manual up up
CONFIG indicates that the IP address for GigabitEthernet0/3.1 was loaded from the startup config. Manual indicates that the device has not been reloaded since the IP address was assigned to GigabitEthernet0/3.2. The same interface will display CONFIG once the device is reloaded.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s3.html#wp1464786
08-31-2010 07:53 PM
Hi Allen,
Thanks for explaining. That is very good to know.
Adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide