ASA Unable to ping MGMT VLAN 10

Answered Question
May 25th, 2012

I'm troubleshooting a network and have run into a stumbling block and unfortunately I don't know much about the Cisco ASA devices. 

I have a switch connected to an ASA.  I'm trying to reach VLAN 10's IP from the ASA:

SW#sh run int vlan 10

interface Vlan10
ip address 10.10.20.1 255.255.255.0
end

ASA# ping 10.10.20.1

?????

However I can reach VLAN 1's IP from the ASA:

SW#sh run int vlan 1

interface Vlan1
ip address 10.1.20.1 255.255.255.0

no ip redirects
load-interval 30
end

ASA# ping 10.1.20.1

!!!!!

I'm assuming it's a simple problem, maybe I'm just having a bad day.

I have this problem too.
0 votes
Correct Answer by Reza Sharifi about 1 year 11 months ago

If you have one physical interface connecting the switch to the firewall with 2 vlans on it (1 and 10) than you need to trunk the interface on the switch side to be able to pass tagged and untagged traffic.

Can you provide the interface config connected to the firewall?

HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Reza Sharifi Fri, 05/25/2012 - 12:26

If you have one physical interface connecting the switch to the firewall with 2 vlans on it (1 and 10) than you need to trunk the interface on the switch side to be able to pass tagged and untagged traffic.

Can you provide the interface config connected to the firewall?

HTH

wgmcmahon Fri, 05/25/2012 - 12:39

That's exactly what I thought it was, currently the port connecting the switch to the ASA is a switch port with no vlan defined, so I'm assuming it's using the default native vlan 1:

SW#sh run int g1/1
interface GigabitEthernet1/1
description 12-05-18-UPLINK-ASA-INSIDE
load-interval 30
spanning-tree portfast
end

ASA# sh run int e0/1

interface Ethernet0/1

description Inside

nameif inside

security-level 100

ip address 10.1.1.253 255.255.255.0

So you are saying g1/1 should be a trunk link allowing vlans 1 and 10 (and any other vlans I wish to pass through to the ASA)?

Sorry, even I know these are really basic questions but I don't have much experience with ASA's so I'm not sure, entirely, how they interact with switches and routers (whether they act as a end device or as another network device).

Reza Sharifi Fri, 05/25/2012 - 12:52

So you are saying g1/1 should be a trunk link allowing vlans 1 and 10 (and any other vlans I wish to pass through to the ASA)?

That is correct here is the config to make a trunk port:

Switch(config-if)#do sh run int gi1/0/2     

Building configuration...

Current configuration : 123 bytes

!

interface GigabitEthernet1/0/2

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

end

Switch(config-if)#

This will allow all  vlans to traverse the link

Regarding your second question, I am assuming you are planning to use the switch as a layer-2 device only and the firewall as a router. (where users default gateway is).  If that is the case, than the firewall is a network device and it is acting as a router.

Is that what you are trying to do?

PS: A quick drawing of your network can be very helpful

HTH

wgmcmahon Fri, 05/25/2012 - 12:58

Not exactly... the default route on the switch is already pointing to the ASA. 

When I joined the company we decided that we would move towards proper VLAN segregation and proper subnetting of like networks.  Everything (and I mean everything) was operating on Vlan 1 and we use the ASA to create network tunnels to different satelite companies across Canada.  So after moving the MGMT IPs to Vlan 10 (our designated MGMT VLAN nationally) I found that I was no longer able to access the ciscos over VPN connection. 

Since everything before was operating on Vlan 1 I will need to change the connection between the Switch and the ASA to a trunk link to allow all the new vlans we will be adding.

Does this make sense? 

Reza Sharifi Fri, 05/25/2012 - 13:13

Ok, I got it.  It is not a good idea to put users and management traffic in the same vlan. Also vlan 1 is the native vlan and should not be used at all.

So, in this new design, how many vlans and subnet are you going to have?

can you provide the vlans and the corresponding subnets?

wgmcmahon Fri, 05/25/2012 - 13:20

Well it's quite complex due to the amount of companies we have, but I will give you the cliff notes.

Vlan 1 - User traffic (I know we shouldn't use Vlan 1 for DATA but it's sorta a migrational step, maybe after the rest of the Vlans are in place we will start to move user traffic -- wasn't my decision) - 10.1.x.0/24 (where x is the company ID)

Vlan 2 - Voice - 10.2.x.0/24 (where x is the company id)

Vlan 3 - Printers - 10.3.x.0/24

Vlan 4 - Servers - 10.4.x.0/24

Vlan 5 - Corp Wifi - 10.5.x.0/24

Vlan 6 - Video - 10.6.x.0/24

Vlan 7 - Special devices 1 - 10.7.x.0/24

Vlan 9 - Special devices 2 - 10.9.x.0/24

Vlan 10 - Network Mgmt - 10.10.x.0/24

Vlan 172 - Gues wireless - 176.16.0.0/24

Reza Sharifi Fri, 05/25/2012 - 13:28

Ok looks good.

one more thing, what model switch and firewall do you have?

Actions

Login or Register to take actions

This Discussion

Posted May 25, 2012 at 11:55 AM
Stats:
Replies:7 Avg. Rating:5
Views:848 Votes:0
Shares:0
Tags: vlan, ping, asa, unable, 10, mgmt
+

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,155
3 7,745
4 7,088
5 6,747
Rank Username Points
130
83
80
74
38