Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5520 multi context cannot ping sub interface

Status
Not open for further replies.
netKIZ

netKIZ

Technical User
Jan 24, 2007
8
0
0
US
Hi all,

Working on a new 5520 in my lab. From my context "simA" cannot ping default gateway, and from my gateway router cannot ping the sub-interface IP allocated to "simA." What am I missing? Thanks in advance!

From the system space, ping to the default gw IP is successful.
lab-asa1# ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
lab-asa1# ch cont simA
lab-asa1/simA# ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)


ASA 5520
--------
# System Space
ASA Version 8.0(3) <system>
!
hostname lab-asa1
domain-name baroda.com
enable password /XlSuePeP53opDW7 encrypted
mac-address auto
!
interface GigabitEthernet0/0
description Trunk to lab2924 Fa0/4
!
interface GigabitEthernet0/0.100
description -- Lab Mgmt Environment --
vlan 1
!
interface GigabitEthernet0/1
description *** Connects to lab2924 Fa0/10 ***
shutdown
!
interface GigabitEthernet0/2
description Trunk to lab2924 Fa0/10
!
interface GigabitEthernet0/2.110
description -- Customer SIM Vlan 10 --
vlan 10
!
interface GigabitEthernet0/3
!
interface Management0/0
!
class default
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!

boot system disk0:/asa803-k8.bin
ftp mode passive
pager lines 24
no failover
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg
!

context simA
description Context for Customer Simulation Environment
allocate-interface GigabitEthernet0/0.100
allocate-interface GigabitEthernet0/2
config-url disk0:/simA.cfg
!
#######
# Context simA
lab-asa1/simA# sh run
: Saved
:
ASA Version 8.0(3) <context>
!
hostname simA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0.100
nameif inside
security-level 100
ip address 192.168.100.25 255.255.255.0
!
interface GigabitEthernet0/2
nameif vpn
security-level 0
ip address 10.40.40.1 255.255.255.252
!
passwd 2KFQnbNIdI.2KYOU encrypted
access-list inside-in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
mtu inside 1500
mtu vpn 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
static (inside,vpn) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
access-group inside-in in interface inside
route inside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:c7fc4efb3d5c48a55eb9804acbaa3324
: end
lab-asa1/simA#
 
Sort by date Sort by votes
in your sim def should it not be gig0/2.100?
allocate-interface GigabitEthernet0/0.100

and your static nat
static (inside,vpn) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

the vpn interface is not 192.168.100.0?

im not sure ive never worked with multiply contexts
 
Upvote 0 Downvote
Hi -

The static is in place to allow traffic destined for 192.168.100.0/24 subnet to pass from the less secure (vpn) interface to the higher secure (inside) interface. I'm not performing any NAT'ing otherwise.

Yea, I did allocate the physical gi0/2 instead of the logical on the "vpn" side. I had done that while troubleshooting. But I'm just concerned with the "inside" at the moment. I cannot ping the logical inside interface nor can I ping anything from simA to the inside.

Here's the switch port interface gi0/0 is connected to. Looks okay to me, but maybe my problem is here:
Current configuration:
!
interface FastEthernet0/4
description LAB ASA Gi0/0
switchport trunk allowed vlan 1,10,1002-1005
switchport mode trunk
no snmp trap link-status
end
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
49
iggsterman
iggsterman
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
93
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
126
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top