cant ping from a subinterface

[f14f21]

Hi,

ASA eth0 ---------------------------fa0/0 [Trunk] [SWITCH CISCO]

ASA :

interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!


Switch :
In switch i've got vlan interface 1 up with ip 192.168.1.40


Why i cant ping from ASA to switch ip 192.168.1.40 ?
PS: if i set 192.168.1.1 on interface eth0 instead of a subinterface, it works like a charm.

[deanwebb]

I'm going to venture a guess that the subinterface's security level is keeping the ping from happening. What if you change it to no security-level?

[Otanx]

ASAs are fun. Doing ICMP with ASAs is double fun. For your issue look to make sure you have the 'icmp permit' command linked to the right interface. It should be something like:

icmp permit 192.168.1.0 255.255.255.0 inside1

-Otanx

[icecream-guy]

Where is your default route?

[Otanx]

Shouldn't need a default route assuming the switch is a /24. All directly connected. However, that did make me realize that when using the sub interface his switch needs to have a trunk setup to the ASA, and the native vlan needs to be changed. Otherwise it won't be tagged, and it won't hit the sub interface on the ASA.

-Otanx

[f14f21]

Thanks, you were right.
I've tested out with a vlan other than native vlan which is 1 and it works !
Your explanation make sense, thank you

[f14f21]

I'm going to venture a guess that the subinterface's security level is keeping the ping from happening. What if you change it to no security-level?

I suppose, security level is a logic between interfaces not the one which is connected to and is trunked and have the same VLAN.

[f14f21]

ASAs are fun. Doing ICMP with ASAs is double fun. For your issue look to make sure you have the 'icmp permit' command linked to the right interface. It should be something like:

icmp permit 192.168.1.0 255.255.255.0 inside1

-Otanx

Just for your info. ICMP does not need to be permitted for my case . and ping works on other VLANS except the native

[f14f21]

can i change native vlan in ASA ?
I've searched through the web and cant find anything

[deanwebb]

You can on a trunk port: https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.html and scroll almost to the end. Search the page for "native", first result.

[Dieselboy]

Seems it's fixed now.

VLAN 1 is usually untagged but it is possible to tag VLAN 1. Then, the switch needs to have the equivalent config to manage that.

What I do is always treat vlan 1 as untagged and all other vlans are tagged. It means that any sub interfaces on the ASA will start at vlan 2. 

[f14f21]

there is an command to enable switch the other side to tag vlan native (in my case is 1):

Code Select Expand

vlan dot1q tag native
but my switch is 2960 and it does not support it.
so for my plan to work out, i set my vlan 1 config to the interface (not subinterface) config and it works.
i've got other subinterfaces at the interface and they all works without problem right now.
so if u are passing traffic from a native vlan in other side, and it is untagged, the interface itself handle the traffic and it does not pass traffic to sub interfaces.

[deanwebb]

Of course, there's the security protip to never use VLAN 1 for anything...