02-11-2007 05:09 PM - edited 02-21-2020 01:24 AM
hi :
I configured sub inteface on the ASA for inter-vlan routing, I can ping from my PC 172.16.2.122 to other IP within the same subnet. but i cannot ping other subnet, say: 172.16.2.51.
here is my configuration:
SNGFWL001/Ctx1# SH RUN
: Saved
:
ASA Version 7.2(1) <context>
!
hostname Ctx1
domain-name default.domain.invalid
enable password xxx
names
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.2
description link to SNGSW3002 G0/22
nameif inside20
security-level 100
ip address 172.16.2.254 255.255.255.0 standby 172.16.2.253
!
interface GigabitEthernet0/1.3
description link to SNGSW3002 G0/22
nameif inside30
security-level 100
ip address 172.16.3.254 255.255.255.0 standby 172.16.3.253
!
interface GigabitEthernet0/1.5
description link to SNGSW3002 G0/22
nameif inside50
security-level 100
ip address 172.16.5.254 255.255.255.0 standby 172.16.5.253
!
interface GigabitEthernet0/1.6
description link to SNGSW3002 G0/22
nameif inside60
security-level 100
ip address 172.16.6.254 255.255.255.0 standby 172.16.6.253
!
interface GigabitEthernet0/2
description link to SNGSW2002 G0/4
nameif outside
security-level 50
ip address 172.16.25.4 255.255.255.0 standby 172.16.25.2
!
interface GigabitEthernet0/3
description link to SNGSW2002 G0/2
nameif DMZ
security-level 0
ip address 172.16.24.4 255.255.255.0 standby 172.16.24.5
!
passwd xxx
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list from-inside20 extended permit ip any any
access-list from-inside20 extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
mtu inside20 1500
mtu inside30 1500
mtu inside50 1500
mtu inside60 1500
mtu outside 1500
mtu DMZ 1500
monitor-interface inside20
no asdm history enable
arp timeout 14400
nat (DMZ) 0 0.0.0.0 0.0.0.0
access-group from-inside20 in interface inside20
access-group from-inside20 in interface inside30
access-group from-inside20 in interface inside50
access-group from-inside20 in interface inside60
access-group 101 in interface outside
access-group DMZ_access_in in interface DMZ
route outside 172.17.0.0 255.255.0.0 172.16.25.10 1
route DMZ 0.0.0.0 0.0.0.0 172.16.24.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username cisco password xxx encrypted
http server enable
http 172.16.2.0 255.255.255.0 inside20
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
02-12-2007 11:14 AM
Maybe just a typo on your part, but arent 172.16.2.122/24 and 172.16.2.51/24 the same subnet? I assume you meant 172.16.2.x to 172.16.3.x..anyway try
"same-security-traffic permit inter-interface" to allow communicaiton between same security level interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide