Can not ping ASA5510 interface from other valn

I am using router on a stick, so I am using multiple vlans, inter-vlans communications is working.
Main vlan 1: connected to ASA also and then ASA is connected to remote office via VPN.
I have another vlan-2 both vlans working and communicating with each other but from vlan-2 I can not ping ASA interface as it belongs to vlan-1. But all IPs I can ping from each vlan.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you post configs for the ASA routing section and also ACLs for the inside interface?

It could be that the ASA does not know how to get to your VLAN2. This is done either by static routes in the ASA, or running a dynamic protocol between the ASA and the router. Static routes work just fine in your situation.

route inside vlan-2_subnet mask vlan1-address_on_router
nainasipraAuthor Commented:
dear naderz,

my ASA don't know any VLAN, its my Router who is dealing with VLANs and ASA inside interface belongs to VLAN-1 as on Router there is static route which will forward traffic to ASA inside interface if any request for remote office network.

nainasipraAuthor Commented:
Dear Naderz,

Let me explain more, i am using EzVPN, and vlans in head office, only one vlan-1 is permited to communicate with branch office now i want to add more vlans in VPN. my devices configurations is attached.
i hope you can help me out regarding this.

thanks in advance!
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Very good. Can you post with private IP addresses not completely X'd out? It is a little difficult to follow what is going on. The issue is with routing and allowing the desired subnets to travel in the VPN tunnel.

For one thing it seems that your ASA does not have a route for to this Vlan 2. I only see this route:

route inside 10.XXXXXXX 192.XXXXXXXX

What network is 10.XXXXXXX?
I see on your VPN pool, but why are pointing that to inside?

If Vlan2 is accessible via the inside interface of the ASA and the subnet is, then you you need this"

route inside 192.XXXXXXXX
nainasipraAuthor Commented:
Dear Naderz,

Please find attachments : config with private-ip.

thank you so much :)
nainasipraAuthor Commented:
Dear Naderz,

Please find attachments : config with private-ip.

thank you so much :)
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
When using router on a stick, you can only ping the interface which you are local on.
nainasipraAuthor Commented:
hi nader,

please see the configuration attachments.....

sorry nainasipra. I have been away. Starting to review your configs. So, if I understand the issue correctly everything is working except that you can not ping HQ-Router's interface Gig0/1.1 from NCH-Router network; correct?

HQ-Router Gig 0/1.1 has two IP addresses assigned ( and Is neither one pingable?

Also, you have ezvpn between branch site and the ASA; correct? What's the IP address for that link?
nainasipraAuthor Commented:
welcome back naderz :)

suppose i have interface  with network:, from this network i can ping any ip belongs to network except ip inside interface).
second, network want to access Branch network via VPN as already only network can access Branch office via VPN.

please suggest.

thank you :)

I am reviewing your setup and will let you know. Is there a diagram of how things are connected? Even a hand drawn diagram would be good.
nainasipraAuthor Commented:
dear naderz,

please find network diagram attached:

thank you so much!
OK, the diagram helps quite a bit. You have the HQ-Router routing traffic from all the VLANs (router on a stick) as you had explained earlier.

If I understand your requirement correctly, you want the HQ-Router to route all traffic between all internal VLANs, route traffic to the Internet through the PPoE connection, and route all traffic destined for the branch back inside through the SW and out through the ASA's VPN connection to the branch; correct?

It may have been easier if you had the ASA connecting to the router instead of the SW. This way you would not have traffic going back the same interface to the inside to  go out the ASA. But, you know the requirements for your network better than me.

You have stated that VLAN1 is working fine right now. I think that means VLAN1 at the HQ can access the branch through the ASA and the Internet through the router; correct?

And, I see VLAN-1 at the HQ as The inside interface of the router also has a secondary address of; I am not sure what that is.

I am assuming the network at the branch is Is that correct?

I am still trying to figure out how you are routing the traffic from the HQ-Router for the branch through the ASA.

Please comment on the above.  I am further reviewing the configs.
nainasipraAuthor Commented:
Dear Naderz,

thanks for your support.

secondary interface actually i am using for my network printers. and inter-vlans working fine with HQ-Router.

Secondly, ASA and Branch Router connected via EzVPN and HQ-Router there is static route if request for then forward to inside interface).

now i think problem is that my ASA don't know vlans, etc

waiting for your helpful comments.

thankssssssssss :)
Here are some of my observations:

1. Please make sure that all inside VLANs are included in the no-nat ACL of the ASA.
2. On the ASA you need a static route for all the inside networks (this can be a summarized route) pointing to the HQ-Router's IP address (192.168.2.x).
nainasipraAuthor Commented:
is it necessary for ASA to know all vlans?
I think my ASA don't know vlans it know only vlan-1, secondly if its necessary then should I make my ASA--->Switch link as trunk and allow all vlans, even I did but still not working.

How my ASA can know all vlans and any PC that connected to ASA any vlan port can communicate with other vlans as it working in switch.
gateways for all vlans are router sub-interfaces.

It is not necessary for the ASA to trunk or know all vlans. It is necessary for ASA to know what to do with traffic destined for those VLANs. So, you need a static route for those VLANs in the ASA telling the ASA to send that traffic to the HQ-Router. The HQ-Router knows what to do with those VLANs.

The ASA command would be this:

route inside

The above is a general route for all 192.168.x.y. But, you can make it specific for only certain VLANs if you like with a subnet mask.

Also, you need to make sure that the internal traffic does not get NATed in the router or the ASA.

Another option is to connect the ASA to the router so that you have:

SW <-> HQ-Router  -  <-> Internet
                             L - <-> ASA <-> Branch

But, that's a different design.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Feroz AhmedSenior Network Security  / Senior System EngineerCommented:

It is very important to get noticed that ASA is high level security and Vlan is low level security .To ping ASA the configuration on ASA should be from outside to Inside with low security level.

ASA(Config-t)# int e0
ASA(config-t)#ip add
ASA(Config-t)# security level 20
ASA(Config-t)#no shut.
ASA(Config -t)#access_list 101 icmp any any echo-reply
ASA(Config -t)access_group 101 in interface outside

Still if u r unable to ping then check policy map

ASA(Config -t)#policy_map global-policy
ASA(Config -t)#class inspection_default
ASA(Config -t)#inspect ICMP
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.