Messages

there is an command to enable switch the other side to tag vlan native (in my case is 1):

Code Select Expand

vlan dot1q tag native
but my switch is 2960 and it does not support it.
so for my plan to work out, i set my vlan 1 config to the interface (not subinterface) config and it works.
i've got other subinterfaces at the interface and they all works without problem right now.
so if u are passing traffic from a native vlan in other side, and it is untagged, the interface itself handle the traffic and it does not pass traffic to sub interfaces.

can i change native vlan in ASA ?
I've searched through the web and cant find anything

ASAs are fun. Doing ICMP with ASAs is double fun. For your issue look to make sure you have the 'icmp permit' command linked to the right interface. It should be something like:

icmp permit 192.168.1.0 255.255.255.0 inside1

-Otanx

Just for your info. ICMP does not need to be permitted for my case . and ping works on other VLANS except the native

I'm going to venture a guess that the subinterface's security level is keeping the ping from happening. What if you change it to no security-level?

I suppose, security level is a logic between interfaces not the one which is connected to and is trunked and have the same VLAN.

Thanks, you were right.
I've tested out with a vlan other than native vlan which is 1 and it works !
Your explanation make sense, thank you

Hi,

ASA eth0 ---------------------------fa0/0 [Trunk] [SWITCH CISCO]

ASA :

interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!


Switch :
In switch i've got vlan interface 1 up with ip 192.168.1.40


Why i cant ping from ASA to switch ip 192.168.1.40 ?
PS: if i set 192.168.1.1 on interface eth0 instead of a subinterface, it works like a charm.