Solved

Catalyst 2960 Trunked to ASA 5510 Router on a Stick | Can ping sub-interface gateway but not other hosts

Posted on 2009-05-07
3
1,329 Views
Last Modified: 2012-05-06
We have setup a Catalyst 2960 to handle our VLAN's.  All VLAN's are defined on the switch, each switch port has switchport access for VLAN 401 and the uplink interface has the dot1q trunk to the asa.

On the asa we created sub-interfaces for all of the VLAN's on Ethernet0/0.

If I connect two hosts with IP addresses of 10.1.101.50 and 10.1.101.51 to the switch with switchport access for VLAN 401, both can ping the default sub-interface gateway of 10.1.101.1 but they cannot ping eachother. If I watch the syslog of the asa, I see allowed entries when I ping the gateway, but nothing shows up (allow or deny) when I try to ping the other host from either host.

Below is the config for the switch. I'll post the config for the asa in the next post.
Current configuration : 5679 bytes
!
! Last configuration change at 12:49:39 CST Sat May 2 2009
! NVRAM config last updated at 12:49:20 CST Sat May 2 2009
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXX
!
no aaa new-model
clock timezone CST -6
system mtu routing 1500
vtp mode transparent
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 400
 name MGMT
!
vlan 401
 name CORP-MAIN-O
!
vlan 402
 name E-O
!
vlan 403
 name P1-O
!
vlan 404
 name P2-O
!
vlan 405
 name P3-O
!
vlan 406
 name P4-O
!
vlan 407
 name S5-O
!
vlan 408
 name L1-O
!
vlan 409
 name L2-O
!
vlan 410
 name S8-O
!
vlan 501
 name MAIN-B
!
vlan 502
 name E-B
!
vlan 503
 name P1-B
!
vlan 504
 name P2-B
!
vlan 505
 name P3-B
!
vlan 506
 name P4-B
!
vlan 507
 name S5-B
!
vlan 508
 name L1-B
!
vlan 509
 name L2-B
!
vlan 510
 name S8-B
!
!
!
interface GigabitEthernet0/1
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/7
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/8
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/9
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/10
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/11
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/12
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/13
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/14
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/15
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/16
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/17
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/18
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/19
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/20
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/21
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/22
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/23
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/24
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/25
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/26
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/27
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/28
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/29
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/30
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/31
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/32
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/33
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/34
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/35
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/36
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/37
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/38
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/39
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/40
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/41
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/42
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/43
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/44
 switchport access vlan 401
 switchport mode access
 switchport voice vlan untagged
!
interface GigabitEthernet0/45
 switchport access vlan 401
 switchport mode access
!
interface GigabitEthernet0/46
 description trunk uplink
 switchport access vlan 401
 switchport trunk allowed vlan 400-510
 switchport mode trunk
!
interface GigabitEthernet0/47
 description trunk downlink
 switchport access vlan 401
 switchport trunk allowed vlan 400-510
 switchport mode trunk
!
interface GigabitEthernet0/48
 description Management
 switchport access vlan 400
 switchport mode access
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan400
 ip address 192.168.1.216 255.255.255.0
 no ip route-cache
!
interface Vlan401
 no ip address
 no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

Open in new window

0
Comment
Question by:Tercestisi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
3 Comments
 

Author Comment

by:Tercestisi
ID: 24328729
Here is the config for the asa.
ASA Version 8.0(4)
!
hostname asa
domain-name domain.local
enable password XXXXX encrypted
passwd XXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 1000
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0.100
 description MANAGEMENT
 vlan 400
 nameif MGT
 security-level 100
 ip address 10.1.200.1 255.255.255.0
!
interface Ethernet0/0.101
 description CORPORATE
 vlan 401
 nameif CORP
 security-level 100
 ip address 10.1.201.1 255.255.255.0
!
interface Ethernet0/0.102
 description OFFICE1
 vlan 402
 nameif EO
 security-level 100
 ip address 10.1.202.1 255.255.255.0
!
interface Ethernet0/0.103
 description POFFICE1
 vlan 403
 nameif P1O
 security-level 100
 ip address 10.1.203.1 255.255.255.0
!
interface Ethernet0/0.104
 description POFFICE2
 vlan 404
 nameif P2O
 security-level 100
 ip address 10.1.204.1 255.255.255.0
!
interface Ethernet0/0.105
 description POFFICE3
 vlan 405
 nameif P3O
 security-level 100
 ip address 10.1.205.1 255.255.255.0
!
interface Ethernet0/0.106
 description POFFICE4
 vlan 406
 nameif P4O
 security-level 100
 ip address 10.1.206.1 255.255.255.0
!
interface Ethernet0/0.107
 description S5OFFICE
 vlan 407
 nameif S5O
 security-level 100
 ip address 10.1.207.1 255.255.255.0
!
interface Ethernet0/0.108
 description LOFFICE1
 vlan 408
 nameif L1O
 security-level 100
 ip address 10.1.208.1 255.255.255.0
!
interface Ethernet0/0.109
 description LOFFICE2
 vlan 409
 nameif L2O
 security-level 100
 ip address 10.1.209.1 255.255.255.0
!
interface Ethernet0/0.110
 description S8OFFICE
 vlan 410
 nameif S8O
 security-level 100
 ip address 10.1.210.1 255.255.255.0
!
interface Ethernet0/0.111
 description BARN
 vlan 501
 nameif BARN
 security-level 100
 ip address 10.1.211.1 255.255.255.0
!
interface Ethernet0/0.112
 description BARN2
 vlan 502
 nameif BARN2
 security-level 100
 ip address 10.1.212.1 255.255.255.0
!
interface Ethernet0/0.113
 description PBARN1
 vlan 503
 nameif P1B
 security-level 100
 ip address 10.1.213.1 255.255.255.0
!
interface Ethernet0/0.114
 description PBARN2
 vlan 504
 nameif P2B
 security-level 100
 ip address 10.1.214.1 255.255.255.0
!
interface Ethernet0/0.115
 description PBARN3
 vlan 505
 nameif P3B
 security-level 100
 ip address 10.1.215.1 255.255.255.0
!
interface Ethernet0/0.116
 description PBARN4
 vlan 506
 nameif P4B
 security-level 100
 ip address 10.1.216.1 255.255.255.0
!
interface Ethernet0/0.117
 description SBARN5
 vlan 507
 nameif S5B
 security-level 100
 ip address 10.1.217.1 255.255.255.0
!
interface Ethernet0/0.118
 description LBARN1
 vlan 508
 nameif L1B
 security-level 100
 ip address 10.1.218.1 255.255.255.0
!
interface Ethernet0/0.119
 description LBARN2
 vlan 509
 nameif L2B
 security-level 100
 ip address 10.1.219.1 255.255.255.0
!
interface Ethernet0/0.120
 description SBARN8
 vlan 510
 nameif S8B
 security-level 100
 ip address 10.1.220.1 255.255.255.0
!
interface Ethernet0/1
 speed 1000
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif MGMT
 security-level 100
 ip address 192.168.1.9 255.255.255.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
access-list inside_temp_in extended permit ip any any
access-list inside_temp_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu MGT 1500
mtu CORP 1500
mtu EO 1500
mtu P1O 1500
mtu P2O 1500
mtu P3O 1500
mtu P4O 1500
mtu S5O 1500
mtu L1O 1500
mtu L2O 1500
mtu S8O 1500
mtu BARN 1500
mtu EB 1500
mtu P1B 1500
mtu P2B 1500
mtu P3B 1500
mtu P4B 1500
mtu S5B 1500
mtu L1B 1500
mtu L2B 1500
mtu S8B 1500
mtu MGMT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 MGMT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 192.168.1.9 MGMT
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 MGMT
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password XXXXX encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXX
: end

Open in new window

0
 

Author Comment

by:Tercestisi
ID: 24329604
I can verify that I can access each host via each other via RDP... just cannot ping them.
0
 

Accepted Solution

by:
Tercestisi earned 0 total points
ID: 24329969
It seems it was only Windows Firewall blocking ICMP requests.
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question