Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Problem with Sub-interface on ASA 5520 v 8.2(2)16

We have an ASA 5520 with various different DMZ's at different security levels.  One of the interfaces, gi0/2, is configured with sub-interfaces connected via a trunk to a 3560 switch.  I am trying to pass traffic from VLAN 4 to the inside network with limited success.  For some reason traffic for VLAN 4 is getting blocked by the acl for VLAN 2.  Is this a NAT issue?

192.168.193.4192.168.17.195Deny icmp src dmz2:192.168.193.4 dst inside:192.168.17.195 (type 0, code 0) by access-group "acl_dmz2" [0x0, 0x0]
192.168.17.1951192.168.193.40Built outbound ICMP connection for faddr 192.168.193.4/0 gaddr 192.168.17.195/1 laddr 192.168.17.195/1

 

Here is the interface configuration:

 

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1

vlan 2

nameif dmz2

security-level 60

ip address 192.168.19.1 255.255.255.0

!

interface GigabitEthernet0/2.2

vlan 3

nameif dmz3

security-level 30

ip address 192.168.20.1 255.255.255.0

!

interface GigabitEthernet0/2.3

vlan 4

nameif dmz4

security-level 90

ip address 192.168.193.1 255.255.255.248

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 192.168.17.1 255.255.255.0

nat (dmz4) 1 192.168.193.0 255.255.255.248

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Problem with Sub-interface on ASA 5520 v 8.2(2)16

You are right.

For some reason the packets are getting to interface dmz2 instead of VLAN4. Are you running routing on the switch?

Mike

Mike
6 REPLIES
Cisco Employee

Problem with Sub-interface on ASA 5520 v 8.2(2)16

Hi;

Can we have a look at the access-lit acl_dmz2?

Mike

Mike
Community Member

Problem with Sub-interface on ASA 5520 v 8.2(2)16

acl_dmz2 shoukld have nothing to do with this?  I have not edited acl_dmz2 to allow or permit any traffic associated VLAN 4 under subinterface gi0/2.3.  All traffic on gi0/2.3 should be controled by acl_dmz4, not acl_dmz2.  acl_dmz2 should only control traffic on gi0/2.1.  I wouldn't think it would have anything to do with traffic on any other sub-interface.

Cisco Employee

Problem with Sub-interface on ASA 5520 v 8.2(2)16

You are right.

For some reason the packets are getting to interface dmz2 instead of VLAN4. Are you running routing on the switch?

Mike

Mike
Community Member

Problem with Sub-interface on ASA 5520 v 8.2(2)16

No, IP routing is not enabled but the native vlan for the trunk is default at vlan 1.

Cisco Employee

Problem with Sub-interface on ASA 5520 v 8.2(2)16

Can you do a quick capture on the ASA? Do the following:

capture dmz2 interface dmz2 match icmp host 192.168.193.4 host 192.168.17.195

Then do the ping and then do, "show cap dmz2 detail" check the mac address of the source of the packet and you will be able to see who is sending the packet to the incorrect vlan. 

Mike

Mike
Community Member

Problem with Sub-interface on ASA 5520 v 8.2(2)16

Ok, I'll do this once I get back to the office in a few days.

314
Views
0
Helpful
6
Replies
CreatePlease to create content