I am having communicaton issues between a router and ASA 7.2(2) with subinterfaces. A simple ping from ASA can not reach the router. Here is the config:
****** BEGIN ******
ip address 192.168.1.1 255.255.255.0
descrip **** ASA eth0
sw trunk encap dot1q
sw trunk native vlan 40
sw mode trunk
descrip *** Router E0
sw mode access
sw access vlan 40
ip address 192.168.1.2
****** END ******
I enabled "debug arp". When I do a ping from ASA to R1, on ASA I can see the outgoing ARP packets. On R1 I can see the incoming ASA-ARP packets as well as the R1-ARP-REPLY BUT on SW I can only see the ASA-ARP-REQUEST packets to R1; never the R1-ARP-REPLY packets.
Scenario 1: If I disable the subinterface on the ASA and enable just ethernet0 without vlan, the ping works fine.
Scenario 2: If I do the following change, the ASA can reach R1:
TO DOCUMENT THIS CONVERSATION FOR OTHERS OUT THERE:
I found the problem.... AN ASA BUG. I red the bug id "CSCsj96350". The bug is for ASA5505 however I followed the workwaround... and it worked for my 5510. So If the switch port where the ASA is connected, has the same "trunk native vlan id" as the "vlan id" of the ASA, the ASA WILL NOT TAG them....having no communication on such network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...