Can't Connect to Cisco ASA 5505 on separate Vlan

I'm configuring a new Cisco 3650 switch with 2 vlans to replace our production 3560 switch with a near identical configuration.  We use a 5510 for production but for the new 3650 switch I'm using a 5505 for testing until the new 5516x arrives.  The problem is that I can't ping or connect to the 5505 on vlan2 from a computer on vlan1.

vlan1 10.74.1.x - interface vlan1 ip address
vlan2 10.168.1.x - interface vlan2 ip address

3650 Switch -
5505 inside interface

I assumed that I had a problem with the new 3650 switch configuration but I'm now thinking that there may be a limitation to the 5505.  I configured a PC on vlan2 which I can ping and connect from vlan1 and vice versa.  The PC on vlan2 can ping and connect to the 5505.

I'm using ADSM to connect to the 5505.

I did include management access on the 5505 from and  I can connect to and ping the 5505 from a PC on vlan2.

Thank you.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Did you do routing between them?
nlwtechAuthor Commented:
Yes, I have routing between them on the 3650 switch.
how about in your 5505
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

nlwtechAuthor Commented:
Not sure how to check that other than the routing that is setup between the outside and inside interfaces.
nlwtechAuthor Commented:
I did change the ASA ip address to vlan 1, moved it to a vlan 1 port on the 3650 switch and I am able to ping & connect via ADSM.   So it still is an issue accessing the 5505 across vlans.
you can connect because your asa ip is now in the same subnet with vlan1 that why you can ping. the reason you cannot connect accross vlan is because you want two different subnet to communicate with each other. you need to route them.
nlwtechAuthor Commented:
If I have a PC on vlan1 and a PC on vlan2 and they can ping each other as well as RDP, does that show that the routing is working properly?
yes, since you can ping accross vlan. then what is the issue.
nlwtechAuthor Commented:
The issue is that I can't ping or connect to the 5505 ASA when it is on vlan2 ( from a PC on vlan1 (10.74.1.x).  That is why I was wondering if it is an issue with the 5505 or is there something on the switch that is not configured correctly.  Sorry for any confusion.
ok, so i aasume you connect your vlan2 on management port and vlan1 in inside port
nlwtechAuthor Commented:
I use the inside port to manage the 5505.  I don't have a port configured just for management.

I can connect via a console cable.
Did you permit icmp to allow ping echo reply
something like this access-list name permit icmp any
nlwtechAuthor Commented:
I did not set that up on the 5505....didn't think it was needed since I was able to ping it from a PC on the same subnet.
by default it is disabled to ping asa interface from different subnet for security reason. you need to enable that in your access control list.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nlwtechAuthor Commented:
Thanks!  Now it makes sense that you can't connect from a different subnet.

I can now ping and connect via ASDM.

Here are the commands I added (as best as I can remember):

object network obj_10.74.1.0

object network Inside_Network

access-list Internal_traffic extended permit ip any
access-list Internal_traffic extended permit ip any

object network Inside_Network nat (any,outside) dynamic interface

route inside 1

Thanks again for your help.

nlwtechAuthor Commented:
My comment included the specific cli commands
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.