Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

VLAN ON CISCO ASA ARE NOT WORKING

Hi;

My customer have a cisco asa 5505 in wich we configure 3 vlans.

first vlan 10 that is connect to internet router with ip adress 10.0.1.1/24

second vlan with ip 172.17.1.1/24 i connected to ip phone network (the ip phone are not cisco )

The third vlan with ip 192.168.1.1/24 is connected to data network that includ pcs and servers and we also configure dhcp for this network.

The two inside network are connected to the same swicth and we don't have any vlans on that switch.

My problem is, when when one vlan is working we can ping the default gateway that is the data vlans ip address.

When to two vlans (data and voice) are working at the same time, we can not ping the two gateway we have many timeout.

Can someone help me to solve this problem?

I attach my architecture!

 

 

 

2 REPLIES
Super Bronze

Hi, You should really

Hi,

 

You should really configure separate Vlan IDs for the Voice/Data subnets on the switch you have.

 

I am not sure if you have a Base License ASA or a Security Plus License ASA. In the Base License ASA only 3 Vlan IDs are supported and no Trunking. With the Security Plus License the ASA would support 20 Vlan IDs and also Trunking.

 

I would suggest using the same Vlan IDs from the ASA also on the switch even if you only had the Base License ASA (which does not support trunking). So configure the required ports with the Data Vlan ID as Access ports and connect the hosts to those ports and also one of the ports to the ASA port that holds that same Vlan ID. Same goes naturally for the Voice Vlan ID and the hosts.

 

We can't say if there is any problems with your ASA configurations unless we can see the actual configurations on the ASA. So you would have to share those if there is some problems there. But you really should configure separate Vlan IDs on the switch also.

 

- Jouni

New Member

hostname ASA-EMGA-01enable

hostname ASA-EMGA-01
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 1
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!

!
interface Vlan30
 nameif outside
 security-level 0
 ip address 10.0.1.2 255.255.255.0
!
interface Vlan10
 nameif data
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan20
 nameif voice
 security-level 100
 ip address 172.17.1.1 255.255.255.0
!
ftp mode passive

access-list voice extended permit ip any any
icmp permit any outside
icmp permit any inside
icmp permit any voice
pager lines 24
mtu outside 1500
mtu inside 1500
mtu voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (data) 1 0.0.0.0 0.0.0.0
nat (voice) 1 172.17.1.0 255.255.255.0
static (data,voice) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-group voice  in interface voice

route outside 0.0.0.0 0.0.0.0 10.0.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.240 192.168.0.152
!
dhcpd address 192.168.1.21-192.168.1.239 data
!

!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ASA-EMGA-01(config)#

113
Views
0
Helpful
2
Replies
CreatePlease to create content