Extreme switch unable to ping Cisco ASA

Jmsdunn85
Jmsdunn85 used Ask the Experts™
on
Here is my setup:

Extreme X450a-48t switch -----> Cisco ASA

I have created a VLAN on the Switch (1 port) with address 10.251.251.2 /30. The ASA inside interface has an address of 10.251.251.1 /30. For various reasons, the ASA cannot be configured as the default route on the switch so i have a static route on the switch as 10.251.251.0/30 GATEWAY: 10.251.251.1.

Rip and ipforwarding are enabled on the VLAN.

I cannot ping the switch from the firewall and cannot ping inside interface of firewall from the switch and i am tearing my hair out as to why.

Also, when i connect to ADSM it shows the inside interface as being connected. And, quite strangely i get these error messages coming up in the event viewer:

Failed to locate egress interface for UDP from inside:x.x.x.x/1028 to y.y.y.y/53 . The inside address is from servers on the servers VLAN!

Please can somebody help. Am i just being thick?

Config for ASA below:

ASA Version 8.0(2)
!
hostname ciscoasa
enable password umg.ZnnYJgki8FK/ encrypted
names
!
interface Ethernet0/0
 nameif inside_core2
 security-level 100
 ip address 10.251.251.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside_telstra
 security-level 0
 ip address 10.254.254.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit tcp any any eq www
pager lines 24
logging enable
logging asdm informational
mtu inside_core2 1500
mtu outside_telstra 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE-IN in interface outside_telstra
access-group OUTSIDE-IN out interface outside_telstra
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.2.150.0 255.255.255.0 inside_core2
http 10.251.251.0 255.255.255.0 inside_core2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 10.2.150.0 255.255.255.0 inside_core2
telnet 10.251.251.0 255.255.255.0 inside_core2
telnet timeout 5
ssh 10.2.150.0 255.255.255.0 inside_core2
ssh 10.2.0.0 255.255.0.0 inside_core2
ssh 10.251.251.0 255.255.255.0 inside_core2
ssh timeout 5
console timeout 0
management-access inside_core2
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
please provide me the folloving:

sh rip database
 
or

route outside 0.0.0.0 0.0.0.0 10.251.251 1

Author

Commented:

RIP on Switch:

10.1.0.0/16        0.0.0.0         1         SERVERS      0   0.0.0.0

 10.2.0.0/16        0.0.0.0         1         DATA         0   0.0.0.0

 10.10.0.0/16       0.0.0.0         1         VOICE        0   0.0.0.0

 10.11.0.0/16       10.2.150.252    2         DATA         12  0.0.0.0

 172.16.0.0/16      10.1.100.252    2         SERVERS      12  0.0.0.0

 10.250.250.0/30    0.0.0.0         1         SDSL         0   0.0.0.0

 10.251.251.0/30    0.0.0.0         1         ASA          0   0.0.0.0

 172.190.25.0/24    10.250.250.1    4         SDSL         36  0.0.0.0

10.254.254.0/30 10.1.100.252      2       SERVERS       12 0.0.0.0

Do you want RIP database from the firewall? Its not configured for RIP...

Commented:
hi

You say you are running 10.251.251.2/30 which only has the 2 hosts in it - but on the ASA you have a /24 configured.
>>ip address 10.251.251.1 255.255.255.0


You will need to change that subnet mask
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Yeah i realised that a few moments ago. both are now /24. Still no go :(

Commented:
Is the switch port tagged with a vlan or not?  If you have a vlan interface configured (I'm not familiar with these switches) then the ASA will need to be connected to a port that is in this vlan.
You are not blocking icmp on the ASA

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
could you show me the firewall rip database?
have you tried the default route on firewalll???

Author

Commented:
Ok so RIP on firewall:

sh rip database

10.0.0.0 255.0.0.0
10.251.251.0 255.255.255.0 directly connected E0/0

The link is definitely up as I can see it in the ASDM interface view and it has 25kps traffic.

Author

Commented:
In response to nodisco, the inside interface is set to security-level 100 so ICMP is not blocked by default - correct?

Author

Commented:
Ok so after running a few more tests:

I can ping the inside interface of the ASA if i plug a laptop that has the address 10.251.251.2 and vice versa. This problaby means that it is something to do with how the switch is configured?
sounds like the switch. check the switch for 802.1q tagging on the interface connected to the firewall, and remove it from the switch if possible - as suggested previously. if you cant remove it from the switch then you need to change the firewall interface config to use 802.1q and match the switch vlan with what you configure on the firewall. if it were a cisco switch, you would execute the command "no switchport", or remove the native vlan from the switch port config, but not sure with the extreme switch.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial