09-27-2013 06:49 AM - edited 03-11-2019 07:44 PM
Hi all,
I want to have few vlans on ASA 5520 but so far no luck to make it work.
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.1
mac-address 2222.1000.aaa1
vlan 1
nameif External-001
security-level 0
no ip address
ipv6 address ****:****:*:1000::1/64
ipv6 enable
ipv6 nd suppress-ra
!
interface GigabitEthernet0/0.2
mac-address 2222.2000.aaa1
vlan 2
nameif External-002
security-level 0
no ip address
ipv6 address ****:*****:*:2000::1/64
ipv6 enable
ipv6 nd suppress-ra
!
!
ipv6 route External-001 ::/0 ****:****:4::1
but can't ping the gateway. If is setup up the IP and default route on External-00, it work. Therefore I assume it has got something to do with trunk and tagging of the frames, but not sure what to actually do about it.
Thank you for your help.
Dan
09-27-2013 08:44 AM
try same-security-traffic permit intra-interface command
---
Posted by WebUser Marwan Hassan from Cisco Support Community App
09-27-2013 09:07 AM
Dan
Can you tell us what is connected to the physical interface of the ASA and share with us how that device is configured?
HTH
Rick
09-27-2013 01:07 PM
Yes, I have 'same-security-traffic permit inter-interface' as well as 'same-security-traffic permit intra-interface' just to see if it helps, not going to use it in the final config.
Thank you
Dan
09-27-2013 09:25 AM
router on a stick ?!! @ switch : switchport trunk encapsulation dot1q !
---
Posted by WebUser Ahmed Serry from Cisco Support Community App
09-27-2013 01:10 PM
I think switchport is only on ASA 5505, if I'm right
Thank you,
Dan
09-27-2013 12:52 PM
Hi all,
thank you for the questions.
the 0/0 and 0/1 are external interfaces, the 0/2 and 0/3 internal, each of the will go to different switch with different configs.
I can ping the gateway when I used the 0/0 interface instead of 0/0.1, which is why I think it has got something to do with the trunk...
Thank you all for your time.
Dan
this is the config:
show run
: Saved
:
ASA Version 9.1(2)
!
hostname ***********
domain-name *********.net
enable password ******************* encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***************** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.1
mac-address 2222.1000.aaa1
vlan 1
nameif External-001
security-level 0
no ip address
ipv6 address ****:****:4:1000::1/64
ipv6 enable
ipv6 nd suppress-ra
!
interface GigabitEthernet0/0.2
mac-address 2222.2000.aaa1
vlan 2
nameif External-002
security-level 0
no ip address
ipv6 address ****:****:4:2000::1/64
ipv6 enable
ipv6 nd suppress-ra
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1
shutdown
vlan 11
nameif External-011
security-level 0
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
shutdown
mac-address 2222.3000.aaa1
vlan 21
nameif Internal-021
security-level 50
no ip address
ipv6 enable
ipv6 nd reachable-time 1700000
ipv6 nd ns-interval 9000
ipv6 nd ra-interval 201
ipv6 nd ra-lifetime 2000
ipv6 nd dad attempts 20
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.1
shutdown
vlan 31
nameif Internal-031
security-level 50
no ip address
!
interface Management0/0
nameif Management
security-level 100
ip address ***.***.***.**** 255.255.255.252
!
boot system disk0:/asa912-k8.bin
no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name ********.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Management_IN extended permit ip any host ***.***.***.***
pager lines 24
logging enable
logging console notifications
logging buffered notifications
logging asdm notifications
mtu External-002 1500
mtu Management 1500
mtu Internal-021 1500
mtu Internal-031 1500
mtu External-001 1500
mtu External-011 1500
no failover
icmp unreachable rate-limit 100 burst-size 10
icmp permit host ***.***.***.*** Management
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Management_IN in interface Management
ipv6 icmp permit any echo External-001
ipv6 icmp permit any echo-reply External-001
ipv6 route External-001 ::/0 ****:****:4::1
route Management 0.0.0.0 0.0.0.0 ***.***.***.*** 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 4433
http 0.0.0.0 0.0.0.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 1
ssh 0.0.0.0 0.0.0.0 Management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 1
management-access Management
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
username ********* password ***************** encrypted privilege 15
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method email
Cryptochecksum:
: end
09-27-2013 02:05 PM
I would investigate the configuration on the switch and ensure that the trunk is up and the correct VLANs are forwarding.
09-27-2013 02:08 PM
09-28-2013 02:17 AM
Dear danjagor001 , inorder to solve this problem you need to create identity NAT for both vlans , meaning to do static nating for example you have vlan 10 and vlan 20 u will do two static nats 1)static (vlan10,vlan20) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 2)static (vlan20,vlan10) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 , please let me know result =) thanks
---
Posted by WebUser Marwan Hassan from Cisco Support Community App
09-28-2013 02:45 AM
Hello,
thank you for the suggestion, but as all except management interfaces use IPv6, it should not require NAT at all. I've got /29 IPv4 available as well and I'll allocate it later on, but to get the IPv6 working is priority.
Many thanks,
Dan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: