Solved

Catalyst 2960 Trunked to ASA 5510 Router on a Stick | Can ping sub-interface gateway but not other hosts

Posted on 2009-05-07
3
1,297 Views
Last Modified: 2012-05-06
We have setup a Catalyst 2960 to handle our VLAN's.  All VLAN's are defined on the switch, each switch port has switchport access for VLAN 401 and the uplink interface has the dot1q trunk to the asa.

On the asa we created sub-interfaces for all of the VLAN's on Ethernet0/0.

If I connect two hosts with IP addresses of 10.1.101.50 and 10.1.101.51 to the switch with switchport access for VLAN 401, both can ping the default sub-interface gateway of 10.1.101.1 but they cannot ping eachother. If I watch the syslog of the asa, I see allowed entries when I ping the gateway, but nothing shows up (allow or deny) when I try to ping the other host from either host.

Below is the config for the switch. I'll post the config for the asa in the next post.
Current configuration : 5679 bytes

!

! Last configuration change at 12:49:39 CST Sat May 2 2009

! NVRAM config last updated at 12:49:20 CST Sat May 2 2009

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname switch

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXXX

!

no aaa new-model

clock timezone CST -6

system mtu routing 1500

vtp mode transparent

ip subnet-zero

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 400

 name MGMT

!

vlan 401

 name CORP-MAIN-O

!

vlan 402

 name E-O

!

vlan 403

 name P1-O

!

vlan 404

 name P2-O

!

vlan 405

 name P3-O

!

vlan 406

 name P4-O

!

vlan 407

 name S5-O

!

vlan 408

 name L1-O

!

vlan 409

 name L2-O

!

vlan 410

 name S8-O

!

vlan 501

 name MAIN-B

!

vlan 502

 name E-B

!

vlan 503

 name P1-B

!

vlan 504

 name P2-B

!

vlan 505

 name P3-B

!

vlan 506

 name P4-B

!

vlan 507

 name S5-B

!

vlan 508

 name L1-B

!

vlan 509

 name L2-B

!

vlan 510

 name S8-B

!

!

!

interface GigabitEthernet0/1

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/2

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/3

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/4

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/5

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/6

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/7

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/8

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/9

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/10

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/11

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/12

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/13

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/14

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/15

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/16

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/17

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/18

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/19

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/20

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/21

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/22

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/23

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/24

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/25

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/26

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/27

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/28

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/29

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/30

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/31

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/32

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/33

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/34

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/35

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/36

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/37

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/38

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/39

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/40

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/41

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/42

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/43

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/44

 switchport access vlan 401

 switchport mode access

 switchport voice vlan untagged

!

interface GigabitEthernet0/45

 switchport access vlan 401

 switchport mode access

!

interface GigabitEthernet0/46

 description trunk uplink

 switchport access vlan 401

 switchport trunk allowed vlan 400-510

 switchport mode trunk

!

interface GigabitEthernet0/47

 description trunk downlink

 switchport access vlan 401

 switchport trunk allowed vlan 400-510

 switchport mode trunk

!

interface GigabitEthernet0/48

 description Management

 switchport access vlan 400

 switchport mode access

!

interface Vlan1

 no ip address

 no ip route-cache

!

interface Vlan400

 ip address 192.168.1.216 255.255.255.0

 no ip route-cache

!

interface Vlan401

 no ip address

 no ip route-cache

!

ip default-gateway 192.168.1.1

ip http server

ip http secure-server

!

control-plane

!

!

line con 0

line vty 0 4

 login

line vty 5 15

 login

!

end

Open in new window

0
Comment
Question by:Tercestisi
  • 3
3 Comments
 

Author Comment

by:Tercestisi
Comment Utility
Here is the config for the asa.
ASA Version 8.0(4)

!

hostname asa

domain-name domain.local

enable password XXXXX encrypted

passwd XXXXX encrypted

names

dns-guard

!

interface Ethernet0/0

 speed 1000

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/0.100

 description MANAGEMENT

 vlan 400

 nameif MGT

 security-level 100

 ip address 10.1.200.1 255.255.255.0

!

interface Ethernet0/0.101

 description CORPORATE

 vlan 401

 nameif CORP

 security-level 100

 ip address 10.1.201.1 255.255.255.0

!

interface Ethernet0/0.102

 description OFFICE1

 vlan 402

 nameif EO

 security-level 100

 ip address 10.1.202.1 255.255.255.0

!

interface Ethernet0/0.103

 description POFFICE1

 vlan 403

 nameif P1O

 security-level 100

 ip address 10.1.203.1 255.255.255.0

!

interface Ethernet0/0.104

 description POFFICE2

 vlan 404

 nameif P2O

 security-level 100

 ip address 10.1.204.1 255.255.255.0

!

interface Ethernet0/0.105

 description POFFICE3

 vlan 405

 nameif P3O

 security-level 100

 ip address 10.1.205.1 255.255.255.0

!

interface Ethernet0/0.106

 description POFFICE4

 vlan 406

 nameif P4O

 security-level 100

 ip address 10.1.206.1 255.255.255.0

!

interface Ethernet0/0.107

 description S5OFFICE

 vlan 407

 nameif S5O

 security-level 100

 ip address 10.1.207.1 255.255.255.0

!

interface Ethernet0/0.108

 description LOFFICE1

 vlan 408

 nameif L1O

 security-level 100

 ip address 10.1.208.1 255.255.255.0

!

interface Ethernet0/0.109

 description LOFFICE2

 vlan 409

 nameif L2O

 security-level 100

 ip address 10.1.209.1 255.255.255.0

!

interface Ethernet0/0.110

 description S8OFFICE

 vlan 410

 nameif S8O

 security-level 100

 ip address 10.1.210.1 255.255.255.0

!

interface Ethernet0/0.111

 description BARN

 vlan 501

 nameif BARN

 security-level 100

 ip address 10.1.211.1 255.255.255.0

!

interface Ethernet0/0.112

 description BARN2

 vlan 502

 nameif BARN2

 security-level 100

 ip address 10.1.212.1 255.255.255.0

!

interface Ethernet0/0.113

 description PBARN1

 vlan 503

 nameif P1B

 security-level 100

 ip address 10.1.213.1 255.255.255.0

!

interface Ethernet0/0.114

 description PBARN2

 vlan 504

 nameif P2B

 security-level 100

 ip address 10.1.214.1 255.255.255.0

!

interface Ethernet0/0.115

 description PBARN3

 vlan 505

 nameif P3B

 security-level 100

 ip address 10.1.215.1 255.255.255.0

!

interface Ethernet0/0.116

 description PBARN4

 vlan 506

 nameif P4B

 security-level 100

 ip address 10.1.216.1 255.255.255.0

!

interface Ethernet0/0.117

 description SBARN5

 vlan 507

 nameif S5B

 security-level 100

 ip address 10.1.217.1 255.255.255.0

!

interface Ethernet0/0.118

 description LBARN1

 vlan 508

 nameif L1B

 security-level 100

 ip address 10.1.218.1 255.255.255.0

!

interface Ethernet0/0.119

 description LBARN2

 vlan 509

 nameif L2B

 security-level 100

 ip address 10.1.219.1 255.255.255.0

!

interface Ethernet0/0.120

 description SBARN8

 vlan 510

 nameif S8B

 security-level 100

 ip address 10.1.220.1 255.255.255.0

!

interface Ethernet0/1

 speed 1000

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif MGMT

 security-level 100

 ip address 192.168.1.9 255.255.255.0

 management-only

!

ftp mode passive

dns server-group DefaultDNS

 domain-name domain.local

access-list inside_temp_in extended permit ip any any

access-list inside_temp_out extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu MGT 1500

mtu CORP 1500

mtu EO 1500

mtu P1O 1500

mtu P2O 1500

mtu P3O 1500

mtu P4O 1500

mtu S5O 1500

mtu L1O 1500

mtu L2O 1500

mtu S8O 1500

mtu BARN 1500

mtu EB 1500

mtu P1B 1500

mtu P2B 1500

mtu P3B 1500

mtu P4B 1500

mtu S5B 1500

mtu L1B 1500

mtu L2B 1500

mtu S8B 1500

mtu MGMT 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 MGMT

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

virtual telnet 192.168.1.9 MGMT

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 MGMT

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password XXXXX encrypted

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:XXXXX

: end

Open in new window

0
 

Author Comment

by:Tercestisi
Comment Utility
I can verify that I can access each host via each other via RDP... just cannot ping them.
0
 

Accepted Solution

by:
Tercestisi earned 0 total points
Comment Utility
It seems it was only Windows Firewall blocking ICMP requests.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSH logs Cisco switch 4 28
Cisco switch SVI 17 39
WAN IP Conflict on Sonicwall 5 56
gns3 - switchport trunk allow vlan error 4 27
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now