Can't Connect to Cisco ASA 5505 on separate Vlan

I'm configuring a new Cisco 3650 switch with 2 vlans to replace our production 3560 switch with a near identical configuration.  We use a 5510 for production but for the new 3650 switch I'm using a 5505 for testing until the new 5516x arrives.  The problem is that I can't ping or connect to the 5505 on vlan2 from a computer on vlan1.

vlan1 10.74.1.x - interface vlan1 ip address 10.74.1.1 255.255.255.0
vlan2 10.168.1.x - interface vlan2 ip address 10.168.1.254 255.255.255.0

3650 Switch - 10.74.1.1
5505 inside interface 10.168.1.1

I assumed that I had a problem with the new 3650 switch configuration but I'm now thinking that there may be a limitation to the 5505.  I configured a PC on vlan2 which I can ping and connect from vlan1 and vice versa.  The PC on vlan2 can ping and connect to the 5505.

I'm using ADSM to connect to the 5505.

I did include management access on the 5505 from 10.74.1.0 and 10.168.1.0.  I can connect to and ping the 5505 from a PC on vlan2.

Thank you.

Neal
nlwtechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tankergoblinCommented:
Did you do routing between them?
0
nlwtechAuthor Commented:
Yes, I have routing between them on the 3650 switch.
0
tankergoblinCommented:
how about in your 5505
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

nlwtechAuthor Commented:
Not sure how to check that other than the routing that is setup between the outside and inside interfaces.
0
nlwtechAuthor Commented:
I did change the ASA ip address to vlan 1, moved it to a vlan 1 port on the 3650 switch and I am able to ping & connect via ADSM.   So it still is an issue accessing the 5505 across vlans.
0
tankergoblinCommented:
you can connect because your asa ip is now in the same subnet with vlan1 that why you can ping. the reason you cannot connect accross vlan is because you want two different subnet to communicate with each other. you need to route them.
0
nlwtechAuthor Commented:
If I have a PC on vlan1 and a PC on vlan2 and they can ping each other as well as RDP, does that show that the routing is working properly?
0
tankergoblinCommented:
yes, since you can ping accross vlan. then what is the issue.
0
nlwtechAuthor Commented:
The issue is that I can't ping or connect to the 5505 ASA when it is on vlan2 (10.168.1.1) from a PC on vlan1 (10.74.1.x).  That is why I was wondering if it is an issue with the 5505 or is there something on the switch that is not configured correctly.  Sorry for any confusion.
0
tankergoblinCommented:
ok, so i aasume you connect your vlan2 on management port and vlan1 in inside port
0
nlwtechAuthor Commented:
I use the inside port to manage the 5505.  I don't have a port configured just for management.

I can connect via a console cable.
0
tankergoblinCommented:
Did you permit icmp to allow ping echo reply
something like this access-list name permit icmp any
0
nlwtechAuthor Commented:
I did not set that up on the 5505....didn't think it was needed since I was able to ping it from a PC on the same subnet.
0
tankergoblinCommented:
by default it is disabled to ping asa interface from different subnet for security reason. you need to enable that in your access control list.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nlwtechAuthor Commented:
Thanks!  Now it makes sense that you can't connect from a different subnet.

I can now ping and connect via ASDM.

Here are the commands I added (as best as I can remember):

======================================================
obj_10.74.1.0 10.74.1.0 255.255.255.0
object network obj_10.74.1.0
   subnet 10.74.1.0 255.255.255.0

object network Inside_Network

access-list Internal_traffic extended permit ip 10.74.1.0 255.255.255.0 any
access-list Internal_traffic extended permit ip any 10.74.1.0 255.255.255.0

object network Inside_Network nat (any,outside) dynamic interface

route inside 10.74.1.0 255.255.255.0 10.168.1.254 1
================================================

Thanks again for your help.

Neal
0
nlwtechAuthor Commented:
My comment included the specific cli commands
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.