Solved: ASA sub-interfaces problem

ece344609_2 · ‎04-22-2009

When configuring a CatOS switch to work with the ASA sub-interfaces, are these the right commands? Thanks much.

clear trunk 2/28 1-91,94-1005,1025-4094

set trunk 2/28 on dot1q 92-93

Jon Marshall · ‎04-22-2009

Okay, your trunk has a native vlan of 92 which means the packets sent for this vlan will not be tagged.

I don't have an ASA to test with but it may be that the ASA is expecting a tagged packet on vlan 92. So you could try changing the native vlan on the trunk link to something other than vlan 92 - the native vlan shouldn't be used to carry data traffic again.

Are your ASA subinteraces up ?

Jon

View solution in original post

Jon Marshall · ‎04-22-2009

Yes assuming that what you are trying to achieve on the CatOS switch is to have a trunk connected to the ASA that only allows vlan 92 and 93.

Jon

ece344609_2 · ‎04-22-2009

Thanks Jon.

That is the intention but I cannot get a host on VLAN 92 to ping the sub-interface I created on the firewall.

I have attached my test config.

Jon Marshall · ‎04-22-2009

Can you post output of "sh trunk" from the switch.

Jon

ece344609_2 · ‎04-22-2009

Jon,

Your help is much appreciated.

It is attached.

Jon Marshall · ‎04-22-2009

Okay, your trunk has a native vlan of 92 which means the packets sent for this vlan will not be tagged.

I don't have an ASA to test with but it may be that the ASA is expecting a tagged packet on vlan 92. So you could try changing the native vlan on the trunk link to something other than vlan 92 - the native vlan shouldn't be used to carry data traffic again.

Are your ASA subinteraces up ?

Jon

ece344609_2 · ‎04-27-2009

Jon,

The issue was the VLAN tagging. I changed that to another VLAN and it works!!

Thanks again and sorry I could not get back to you before.