nainasipra
asked on
Can not ping ASA5510 interface from other valn
I am using router on a stick, so I am using multiple vlans, inter-vlans communications is working.
Main vlan 1: 192.168.1.0/24 connected to ASA also and then ASA is connected to remote office via VPN.
I have another vlan-2 both vlans working and communicating with each other but from vlan-2 I can not ping ASA interface as it belongs to vlan-1. But all IPs I can ping from each vlan.
thanks
Main vlan 1: 192.168.1.0/24 connected to ASA also and then ASA is connected to remote office via VPN.
I have another vlan-2 both vlans working and communicating with each other but from vlan-2 I can not ping ASA interface as it belongs to vlan-1. But all IPs I can ping from each vlan.
thanks
ASKER
dear naderz,
my ASA don't know any VLAN, its my Router who is dealing with VLANs and ASA inside interface belongs to VLAN-1 as on Router there is static route which will forward traffic to ASA inside interface if any request for remote office network.
thanks
my ASA don't know any VLAN, its my Router who is dealing with VLANs and ASA inside interface belongs to VLAN-1 as on Router there is static route which will forward traffic to ASA inside interface if any request for remote office network.
thanks
ASKER
Dear Naderz,
Let me explain more, i am using EzVPN, and vlans in head office, only one vlan-1 is permited to communicate with branch office now i want to add more vlans in VPN. my devices configurations is attached.
i hope you can help me out regarding this.
thanks in advance!
HQ-ASA5510
HQ-ROUTER
BRANCH-ROUTER.txt
Let me explain more, i am using EzVPN, and vlans in head office, only one vlan-1 is permited to communicate with branch office now i want to add more vlans in VPN. my devices configurations is attached.
i hope you can help me out regarding this.
thanks in advance!
HQ-ASA5510
HQ-ROUTER
BRANCH-ROUTER.txt
Very good. Can you post with private IP addresses not completely X'd out? It is a little difficult to follow what is going on. The issue is with routing and allowing the desired subnets to travel in the VPN tunnel.
For one thing it seems that your ASA does not have a route for to this Vlan 2. I only see this route:
route inside 10.XXXXXXX 255.255.255.255 192.XXXXXXXX
What network is 10.XXXXXXX?
I see on your VPN pool, but why are pointing that to inside?
If Vlan2 is accessible via the inside interface of the ASA and the subnet is 192.168.2.0, then you you need this"
route inside 192.168.2.0 255.255.255.0 192.XXXXXXXX
For one thing it seems that your ASA does not have a route for to this Vlan 2. I only see this route:
route inside 10.XXXXXXX 255.255.255.255 192.XXXXXXXX
What network is 10.XXXXXXX?
I see on your VPN pool, but why are pointing that to inside?
If Vlan2 is accessible via the inside interface of the ASA and the subnet is 192.168.2.0, then you you need this"
route inside 192.168.2.0 255.255.255.0 192.XXXXXXXX
ASKER
ASKER
Dear Naderz,
Please find attachments : config with private-ip.
thank you so much :)
HQ-ASA
BRANCH-ROUTER.txt
HQ-Router
Please find attachments : config with private-ip.
thank you so much :)
HQ-ASA
BRANCH-ROUTER.txt
HQ-Router
When using router on a stick, you can only ping the interface which you are local on.
ASKER
hi nader,
please see the configuration attachments.....
thanks
please see the configuration attachments.....
thanks
sorry nainasipra. I have been away. Starting to review your configs. So, if I understand the issue correctly everything is working except that you can not ping HQ-Router's interface Gig0/1.1 from NCH-Router 192.168.1.0 network; correct?
HQ-Router Gig 0/1.1 has two IP addresses assigned (192.168.50.1 and 192.168.2.1). Is neither one pingable?
Also, you have ezvpn between branch site and the ASA; correct? What's the IP address for that link?
HQ-Router Gig 0/1.1 has two IP addresses assigned (192.168.50.1 and 192.168.2.1). Is neither one pingable?
Also, you have ezvpn between branch site and the ASA; correct? What's the IP address for that link?
ASKER
welcome back naderz :)
suppose i have interface with network: 192.168.100.0/24, from this network i can ping any ip belongs to network 192.168.2.0/24 except ip 192.168.2.246(ASA inside interface).
second, network 192.168.100.0/24 want to access Branch network via VPN as already only 192.168.1.0/24 network can access Branch office via VPN.
please suggest.
thanks
suppose i have interface with network: 192.168.100.0/24, from this network i can ping any ip belongs to network 192.168.2.0/24 except ip 192.168.2.246(ASA inside interface).
second, network 192.168.100.0/24 want to access Branch network via VPN as already only 192.168.1.0/24 network can access Branch office via VPN.
please suggest.
thanks
thank you :)
I am reviewing your setup and will let you know. Is there a diagram of how things are connected? Even a hand drawn diagram would be good.
I am reviewing your setup and will let you know. Is there a diagram of how things are connected? Even a hand drawn diagram would be good.
ASKER
OK, the diagram helps quite a bit. You have the HQ-Router routing traffic from all the VLANs (router on a stick) as you had explained earlier.
If I understand your requirement correctly, you want the HQ-Router to route all traffic between all internal VLANs, route traffic to the Internet through the PPoE connection, and route all traffic destined for the branch back inside through the SW and out through the ASA's VPN connection to the branch; correct?
It may have been easier if you had the ASA connecting to the router instead of the SW. This way you would not have traffic going back the same interface to the inside to go out the ASA. But, you know the requirements for your network better than me.
You have stated that VLAN1 is working fine right now. I think that means VLAN1 at the HQ can access the branch through the ASA and the Internet through the router; correct?
And, I see VLAN-1 at the HQ as 192.168.2.0/24. The inside interface of the router also has a secondary address of 192.168.50.0/24; I am not sure what that is.
I am assuming the network at the branch is 192.168.1.0/24. Is that correct?
I am still trying to figure out how you are routing the traffic from the HQ-Router for the branch through the ASA.
Please comment on the above. I am further reviewing the configs.
If I understand your requirement correctly, you want the HQ-Router to route all traffic between all internal VLANs, route traffic to the Internet through the PPoE connection, and route all traffic destined for the branch back inside through the SW and out through the ASA's VPN connection to the branch; correct?
It may have been easier if you had the ASA connecting to the router instead of the SW. This way you would not have traffic going back the same interface to the inside to go out the ASA. But, you know the requirements for your network better than me.
You have stated that VLAN1 is working fine right now. I think that means VLAN1 at the HQ can access the branch through the ASA and the Internet through the router; correct?
And, I see VLAN-1 at the HQ as 192.168.2.0/24. The inside interface of the router also has a secondary address of 192.168.50.0/24; I am not sure what that is.
I am assuming the network at the branch is 192.168.1.0/24. Is that correct?
I am still trying to figure out how you are routing the traffic from the HQ-Router for the branch through the ASA.
Please comment on the above. I am further reviewing the configs.
ASKER
Dear Naderz,
thanks for your support.
secondary interface actually i am using for my network printers. and inter-vlans working fine with HQ-Router.
Secondly, ASA and Branch Router connected via EzVPN and HQ-Router there is static route if request for 192.168.1.0/24 then forward to 192.168.2.246(ASA inside interface).
now i think problem is that my ASA don't know vlans, etc
waiting for your helpful comments.
thankssssssssss :)
thanks for your support.
secondary interface actually i am using for my network printers. and inter-vlans working fine with HQ-Router.
Secondly, ASA and Branch Router connected via EzVPN and HQ-Router there is static route if request for 192.168.1.0/24 then forward to 192.168.2.246(ASA inside interface).
now i think problem is that my ASA don't know vlans, etc
waiting for your helpful comments.
thankssssssssss :)
Here are some of my observations:
1. Please make sure that all inside VLANs are included in the no-nat ACL of the ASA.
2. On the ASA you need a static route for all the inside networks (this can be a summarized route) pointing to the HQ-Router's IP address (192.168.2.x).
1. Please make sure that all inside VLANs are included in the no-nat ACL of the ASA.
2. On the ASA you need a static route for all the inside networks (this can be a summarized route) pointing to the HQ-Router's IP address (192.168.2.x).
ASKER
is it necessary for ASA to know all vlans?
I think my ASA don't know vlans it know only vlan-1, secondly if its necessary then should I make my ASA--->Switch link as trunk and allow all vlans, even I did but still not working.
How my ASA can know all vlans and any PC that connected to ASA any vlan port can communicate with other vlans as it working in switch.
gateways for all vlans are router sub-interfaces.
thanks
I think my ASA don't know vlans it know only vlan-1, secondly if its necessary then should I make my ASA--->Switch link as trunk and allow all vlans, even I did but still not working.
How my ASA can know all vlans and any PC that connected to ASA any vlan port can communicate with other vlans as it working in switch.
gateways for all vlans are router sub-interfaces.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
It is very important to get noticed that ASA is high level security and Vlan is low level security .To ping ASA the configuration on ASA should be from outside to Inside with low security level.
ASA(Config-t)# int e0
ASA(config-t)#ip add 0.0.0.0 0.0.0.0
ASA(Config-t)# security level 20
ASA(Config-t)#no shut.
ASA(Config -t)#access_list 101 icmp any any echo-reply
ASA(Config -t)access_group 101 in interface outside
Still if u r unable to ping then check policy map
ASA(Config -t)#policy_map global-policy
ASA(Config -t)#class inspection_default
ASA(Config -t)#inspect ICMP
It is very important to get noticed that ASA is high level security and Vlan is low level security .To ping ASA the configuration on ASA should be from outside to Inside with low security level.
ASA(Config-t)# int e0
ASA(config-t)#ip add 0.0.0.0 0.0.0.0
ASA(Config-t)# security level 20
ASA(Config-t)#no shut.
ASA(Config -t)#access_list 101 icmp any any echo-reply
ASA(Config -t)access_group 101 in interface outside
Still if u r unable to ping then check policy map
ASA(Config -t)#policy_map global-policy
ASA(Config -t)#class inspection_default
ASA(Config -t)#inspect ICMP
It could be that the ASA does not know how to get to your VLAN2. This is done either by static routes in the ASA, or running a dynamic protocol between the ASA and the router. Static routes work just fine in your situation.
route inside vlan-2_subnet mask vlan1-address_on_router