Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

not able to inter-vlan routing from ASA

hi :

I configured sub inteface on the ASA for inter-vlan routing, I can ping from my PC to other IP within the same subnet. but i cannot ping other subnet, say:

here is my configuration:


: Saved


ASA Version 7.2(1) <context>


hostname Ctx1

domain-name default.domain.invalid

enable password xxx



interface GigabitEthernet0/1

no nameif

no security-level

no ip address


interface GigabitEthernet0/1.2

description link to SNGSW3002 G0/22

nameif inside20

security-level 100

ip address standby


interface GigabitEthernet0/1.3

description link to SNGSW3002 G0/22

nameif inside30

security-level 100

ip address standby


interface GigabitEthernet0/1.5

description link to SNGSW3002 G0/22

nameif inside50

security-level 100

ip address standby


interface GigabitEthernet0/1.6

description link to SNGSW3002 G0/22

nameif inside60

security-level 100

ip address standby


interface GigabitEthernet0/2

description link to SNGSW2002 G0/4

nameif outside

security-level 50

ip address standby


interface GigabitEthernet0/3

description link to SNGSW2002 G0/2

nameif DMZ

security-level 0

ip address standby


passwd xxx

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list from-inside20 extended permit ip any any

access-list from-inside20 extended permit icmp any any

pager lines 24

logging enable

logging buffered debugging

mtu inside20 1500

mtu inside30 1500

mtu inside50 1500

mtu inside60 1500

mtu outside 1500

mtu DMZ 1500

monitor-interface inside20

no asdm history enable

arp timeout 14400

nat (DMZ) 0

access-group from-inside20 in interface inside20

access-group from-inside20 in interface inside30

access-group from-inside20 in interface inside50

access-group from-inside20 in interface inside60

access-group 101 in interface outside

access-group DMZ_access_in in interface DMZ

route outside 1

route DMZ 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username cisco password xxx encrypted

http server enable

http inside20

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh DMZ

ssh timeout 5


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global


: end


Re: not able to inter-vlan routing from ASA

Maybe just a typo on your part, but arent and the same subnet? I assume you meant 172.16.2.x to 172.16.3.x..anyway try

"same-security-traffic permit inter-interface" to allow communicaiton between same security level interfaces.

CreatePlease to create content