ASA 5505 router-as-a-stick, cant ping between VLANs

Unanswered Question
May 25th, 2012

Hi i am trying to get my ASA 5505 with 2 internal VLANs (voice and data) and external internet VLAN to run in router as a stick, and route between VLANS.

I cant get it working though:

From the data VLAN switchport i can ping (local VLAN) but not (the firewall IP on other VLAN)

Connecting to the voice VLAN switchport i can ping (local VLAN) but not (the firewall IP on other VLAN).

I have used Watchguard firewalls before and had this working instantly, with the ASA however it is a nightmare.

Can you please let me know what i am doing wrong and how i can make the ASA route between subnets?



Result of the command: "show running"

: Saved


ASA Version 8.4(4)


hostname ciscoasa


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6

switchport access vlan 70


interface Ethernet0/7

switchport access vlan 70


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


interface Vlan70

no forward interface Vlan2

nameif voice

security-level 100

ip address


boot system disk0:/asa844-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-


object network obj_any


object network obj-


object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1

access-list voice_access_in extended permit object-group DM_INLINE_PROTOCOL_2

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu voice 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400


object network obj-

nat (inside,voice) static

object network obj_any

nat (inside,outside) dynamic interface

object network obj-

nat (voice,inside) static

access-group inside_access_in in interface inside

access-group voice_access_in in interface voice

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside


threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
varrao Fri, 05/25/2012 - 16:23

What is the license that you have on the device?

Varun Rao
Security Team,
Cisco TAC Fri, 05/25/2012 - 16:27

Hi Varun, thanks for the fast reply.

It is the base license, from the licnese details in ASDM: 8 phy interfaces, 3 vlans, no vlan trunk ports, inside hosts unlimited.


varrao Fri, 05/25/2012 - 16:35


With Base license you would have a dmz restricted license, if you do " show version" on cli, you would see it.

This means you can only have 2 regular zones which can communicate with each other and the 3rd one which is restricted, traffic can only be initiated from one vlan.

Here's the license doc:

Varun Rao
Security Team,
Cisco TAC

jcarvaja Fri, 05/25/2012 - 16:36


Important thing for you to know:

1- In order to allow ICMP packets to traverse the ASA you need to statefully inspect the ICMP protocol.

2- You cannot ping a distant interface , what does this mean? R/ if you are behind the inside interface you will be able to ping it but you will not be able to ping the outside interface Ip add or the DMZ interface Ip add. This is a built-in security meassure.

3- ASA 5505 with a Base license ( Traffic will only be allow ( unrestricted) from 2 vlans, the 3 one will be restricted, This means the 3 vlan will only be able to talk to one other interface not to both of them.

In order to change the behavior of the traffic that will be allow by the 3rd vlan you need the following command:

- no forward interface vlan #

To solve this you will need a plus license.


Do rate all the helpful posts


Security Engineer


This Discussion

Related Content