Can not ping ASA5510 interface from other valn

I am using router on a stick, so I am using multiple vlans, inter-vlans communications is working.
Main vlan 1: 192.168.1.0/24 connected to ASA also and then ASA is connected to remote office via VPN.
I have another vlan-2 both vlans working and communicating with each other but from vlan-2 I can not ping ASA interface as it belongs to vlan-1. But all IPs I can ping from each vlan.

thanks
nainasipraAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

naderzCommented:
Can you post configs for the ASA routing section and also ACLs for the inside interface?


It could be that the ASA does not know how to get to your VLAN2. This is done either by static routes in the ASA, or running a dynamic protocol between the ASA and the router. Static routes work just fine in your situation.

route inside vlan-2_subnet mask vlan1-address_on_router
0
nainasipraAuthor Commented:
dear naderz,

my ASA don't know any VLAN, its my Router who is dealing with VLANs and ASA inside interface belongs to VLAN-1 as on Router there is static route which will forward traffic to ASA inside interface if any request for remote office network.

thanks
0
nainasipraAuthor Commented:
Dear Naderz,

Let me explain more, i am using EzVPN, and vlans in head office, only one vlan-1 is permited to communicate with branch office now i want to add more vlans in VPN. my devices configurations is attached.
i hope you can help me out regarding this.

thanks in advance!
HQ-ASA5510
HQ-ROUTER
BRANCH-ROUTER.txt
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

naderzCommented:
Very good. Can you post with private IP addresses not completely X'd out? It is a little difficult to follow what is going on. The issue is with routing and allowing the desired subnets to travel in the VPN tunnel.

For one thing it seems that your ASA does not have a route for to this Vlan 2. I only see this route:

route inside 10.XXXXXXX 255.255.255.255 192.XXXXXXXX

What network is 10.XXXXXXX?
I see on your VPN pool, but why are pointing that to inside?

If Vlan2 is accessible via the inside interface of the ASA and the subnet is 192.168.2.0, then you you need this"

route inside 192.168.2.0 255.255.255.0 192.XXXXXXXX
0
nainasipraAuthor Commented:
Dear Naderz,

Please find attachments : config with private-ip.


thank you so much :)
HQ-ASA
0
nainasipraAuthor Commented:
Dear Naderz,

Please find attachments : config with private-ip.


thank you so much :)
HQ-ASA
BRANCH-ROUTER.txt
HQ-Router
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
When using router on a stick, you can only ping the interface which you are local on.
0
nainasipraAuthor Commented:
hi nader,

please see the configuration attachments.....

thanks
0
naderzCommented:
sorry nainasipra. I have been away. Starting to review your configs. So, if I understand the issue correctly everything is working except that you can not ping HQ-Router's interface Gig0/1.1 from NCH-Router 192.168.1.0 network; correct?

HQ-Router Gig 0/1.1 has two IP addresses assigned (192.168.50.1 and 192.168.2.1). Is neither one pingable?

Also, you have ezvpn between branch site and the ASA; correct? What's the IP address for that link?
0
nainasipraAuthor Commented:
welcome back naderz :)

suppose i have interface  with network: 192.168.100.0/24, from this network i can ping any ip belongs to network  192.168.2.0/24 except ip 192.168.2.246(ASA inside interface).
second, network 192.168.100.0/24 want to access Branch network via VPN as already only 192.168.1.0/24 network can access Branch office via VPN.

please suggest.

thanks
0
naderzCommented:
thank you :)

I am reviewing your setup and will let you know. Is there a diagram of how things are connected? Even a hand drawn diagram would be good.
0
nainasipraAuthor Commented:
dear naderz,

please find network diagram attached:

thank you so much!
network-diag.docx
0
naderzCommented:
OK, the diagram helps quite a bit. You have the HQ-Router routing traffic from all the VLANs (router on a stick) as you had explained earlier.

If I understand your requirement correctly, you want the HQ-Router to route all traffic between all internal VLANs, route traffic to the Internet through the PPoE connection, and route all traffic destined for the branch back inside through the SW and out through the ASA's VPN connection to the branch; correct?

It may have been easier if you had the ASA connecting to the router instead of the SW. This way you would not have traffic going back the same interface to the inside to  go out the ASA. But, you know the requirements for your network better than me.

You have stated that VLAN1 is working fine right now. I think that means VLAN1 at the HQ can access the branch through the ASA and the Internet through the router; correct?

And, I see VLAN-1 at the HQ as 192.168.2.0/24. The inside interface of the router also has a secondary address of 192.168.50.0/24; I am not sure what that is.

I am assuming the network at the branch is 192.168.1.0/24. Is that correct?

I am still trying to figure out how you are routing the traffic from the HQ-Router for the branch through the ASA.

Please comment on the above.  I am further reviewing the configs.
0
nainasipraAuthor Commented:
Dear Naderz,

thanks for your support.

secondary interface actually i am using for my network printers. and inter-vlans working fine with HQ-Router.

Secondly, ASA and Branch Router connected via EzVPN and HQ-Router there is static route if request for 192.168.1.0/24 then forward to 192.168.2.246(ASA inside interface).

now i think problem is that my ASA don't know vlans, etc

waiting for your helpful comments.

thankssssssssss :)
0
naderzCommented:
Here are some of my observations:

1. Please make sure that all inside VLANs are included in the no-nat ACL of the ASA.
2. On the ASA you need a static route for all the inside networks (this can be a summarized route) pointing to the HQ-Router's IP address (192.168.2.x).
0
nainasipraAuthor Commented:
is it necessary for ASA to know all vlans?
I think my ASA don't know vlans it know only vlan-1, secondly if its necessary then should I make my ASA--->Switch link as trunk and allow all vlans, even I did but still not working.

How my ASA can know all vlans and any PC that connected to ASA any vlan port can communicate with other vlans as it working in switch.
gateways for all vlans are router sub-interfaces.

thanks
0
naderzCommented:
It is not necessary for the ASA to trunk or know all vlans. It is necessary for ASA to know what to do with traffic destined for those VLANs. So, you need a static route for those VLANs in the ASA telling the ASA to send that traffic to the HQ-Router. The HQ-Router knows what to do with those VLANs.

The ASA command would be this:

route inside 192.168.0.0 255.255.0.0 192.168.2.1

The above is a general route for all 192.168.x.y. But, you can make it specific for only certain VLANs if you like with a 255.255.255.0 subnet mask.

Also, you need to make sure that the internal traffic does not get NATed in the router or the ASA.

Another option is to connect the ASA to the router so that you have:

SW <-> HQ-Router  -  <-> Internet
                             L - <-> ASA <-> Branch

But, that's a different design.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Feroz AhmedSenior Network EngineerCommented:
Hi,

It is very important to get noticed that ASA is high level security and Vlan is low level security .To ping ASA the configuration on ASA should be from outside to Inside with low security level.

ASA(Config-t)# int e0
ASA(config-t)#ip add 0.0.0.0 0.0.0.0
ASA(Config-t)# security level 20
ASA(Config-t)#no shut.
ASA(Config -t)#access_list 101 icmp any any echo-reply
ASA(Config -t)access_group 101 in interface outside

Still if u r unable to ping then check policy map

ASA(Config -t)#policy_map global-policy
ASA(Config -t)#class inspection_default
ASA(Config -t)#inspect ICMP
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.