Cisco Security :: Subinterface Stops When Use VLan 1 Default ASA 5520
Mar 17, 2011
I´m trying to configure a subinterface named Inside with vlan 1 but the interface stops work with this vlan.My switch is a Cisco and use the lan with vlan 1 too.If I change de vlan for other i.e vlan13 works fine. And all others vlans works fine too.Is there a problem to use the vlan 1?
My configuration is:
Cisco ASA:
interface gig0/3
no ip address
no security
no nameif
Interface gig0/3.1
vlan 1
nameif Inside
Securirity-level 100
ip address 10.x.y.x 255.255.224.0
The giga port of the swtich is configure to trunk model.
View 2 Replies
ADVERTISEMENT
Jan 31, 2013
I am in a non-admin context mode in ASA 5520 8.0 (5) and i m trying to add a new interface
GigabitEthernet1/2.4 172.19.4.1 255.255.254.0 manualGigabitEthernet1/2.6 172.19.6.1 255.255.255.0 CONFIGGigabitEthernet1/2.180 172.19.180.1 255.255.252.0 manualGigabitEthernet1/2.190 172.19.190.1 255.255.254.0 manualgvadc-fw/tgf# conf tgvadc-fw/tgf(config)# int ggvadc-fw/tgf(config)# int gigabitEthernet 1/2?
configure mode commands/options:1/2.180 1/2.190 1/2.4 1/2.6gvadc-fw/tgf(config)# int gigabitEthernet 1/2.168 ?ERROR: % Unrecognized commandgvadc-fw/tgf(config)#
what do i do?
View 2 Replies
View Related
Apr 5, 2012
I'm trying to set up an 802.1 q trunk between my layer 3 switch and ASA5520. I understand I need to create a subinterface to accomplish this and have done so. However, the subinterface does not respond to pings, and when I attempt to run the packet tracer on the firewall itself, I get a message saying Flow is denied by configured rule. But the strange thing is it shows the output interface as "np identity ifc":
(The VLAN in question is VLAN2 192.168.2.3 is the VLAN2 address on the switch). The ASA config is as follows:
ASA Version 8.2(5) <context>
hostname context2
names
!
interface GigabitEthernet0/0.2
nameif Inside0/0.2
[Code] ....
View 3 Replies
View Related
Apr 23, 2013
I am having an issue where I can't get to external network sources via my sub interface which is attached to a 192.168.10.X VLAN I created to for Guest wireless traffic. The internal interface is a 10.5.X.X network. I can get out the external interface, but anything that we have A records for such as our mobile iron server that we can hit from the outside via https and an external IP can't be hit from the subinterface at all. Would this be a DNS rewrite issue or inspection problem?
View 3 Replies
View Related
Sep 8, 2012
I need to configure a subinterface eg g0/0.1 and g0/0.2 with a untagged VLAN for each subinterface on a Cisco 2821.
View 5 Replies
View Related
Jan 23, 2013
I've been given the task to clean-up our network config, and have walked into a disaster zone.We have a 4510R on site with everyone using the default VLAN, VLAN 1.I have created 4 new VLANS, VLAN100, VLAN150, VLAN200, VLAN250 I have assigned interface addresses to each VLAN and configured Inter VLAN routing.I can route to and from each new vlan with no problem, i.e VLAN250>VLAN100 VlAN100>VLAN200 etc but I can't route to VLAN 1(Default VLAN) from any of them, I can ping the interface on VLAN 1 from any VLAN , but any hosts are unreachable. On the flip side , from VLAN 1 I can route to all of the VLANS.
View 3 Replies
View Related
Aug 8, 2006
ASA 5510 security plus edition will it support active/active failover. and does it support context with securiyt plsu edition. and how many default context do we get with asa 5510 security plus edition.
View 3 Replies
View Related
Jun 14, 2011
I have two Cisco ASA 5520's running software version 8.2(2) set up in a HA pair. The L2L vpn is set up and works as expected between this site and another. The issue is that every few months, one subnet of the VPN, the same one all the time, stops forwarding/receiving traffic. The device in the remote location is not a Cisco device but I am certain the issue lies with the ASA as when I fail over to the slave device the VPN works again, failing back again however stays with the subnet still not passing traffic. I need to reboot the device before it starts forwarding traffic on the subnet again.
View 3 Replies
View Related
Jan 3, 2012
I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).I had the following setup working without issue:
[Internet] <-----> PIX <-----> 1841 <-----> [LAN]
I then tried to introduce VLANs and now I can not reach the Internet from the LAN. It seems that no nat translations are taking place.
-I can successfully ping the LAN from the PIX.
-I can successfully ping the Internet from the PIX.
-I can successfully ping the PIX inside_lan interface from the router
-I can not ping the outside interface from the router
-I can not ping the Internet from the router
I introduced the LAN side VLAN first and everything still worked. However, once i introduced the VLAN between the router and PIX, things have broken down. [code]
View 2 Replies
View Related
May 9, 2011
I have a ASA 5505 which stops pretty early in the boot sequence.
This is all that shows up,
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
[Code].....
View 1 Replies
View Related
Jul 12, 2011
I have another asa 5520 and it is configured. when i do factory default every thing erase. ok. when i enter again it promped for enable password. and it takes my privious password taht i gave in full configuration.
It generally comes no password . Why enable PW dont erase ? why factory default holds my previous password ?
View 7 Replies
View Related
Apr 9, 2012
I am struggling on a problem for over 2 weeks despite of various researches.
We have a Cisco router, then an ASA 5520 8.4(3).
The private interface of the ASA is connected to a switch, and so on connected to one interface of the router.
The private interface is as following : 129.88.63.253 255.255.248.0 (/21) =>
It is in the 129.88.56.0/21 subnet
Here is the part of the router config we are interested in :
!
interface Vlan32
ip address 129.88.63.254 255.255.248.0 (this is the tunnel default gateway configured on the ASA - 129.88.56.0/21 subnet)
ip address 129.88.71.254 255.255.255.0 secondary
ip address 129.88.75.254 255.255.252.0 secondary
ip access-group CVPN-depuis-129.88.56 in
ip access-group CVPN-vers-129.88.56 out
ip verify unicast source reachable-via rx allow-default
no ip redirects
mls rp ip
!
On the ASA, there is currently one default route for the tunneled traffic :
route Private 0.0.0.0 0.0.0.0 129.88.63.254 tunneled
As you can see, it's on the same subnet as the primary IP address of interface Vlan32 on the router.
The scenario is as following :
- we can connect to the VPN with the appropriate alias (LDAP connection), then we get an IP address in the defined range (it's a local ASA pool)
- the pool is : 129.88.71.0/24
- but, once we are connected, we can't do anything, because it seems like we don't have any network access
View 9 Replies
View Related
Mar 27, 2013
We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default). Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default?
View 6 Replies
View Related
Jun 5, 2013
I have the new firmware running on my SG500 switch. I've also just finished creating my VLANs. My issue is that I can't delete the old default VLAN .... VLAN 1. More importantly, I can't seem to get DNS to work on the switch.
When I set a DNS server, the VLAN defaults to VLAN 1, and the option is greyed out and can't be changed. Why is it VLAN1? Why is it greyed out? How do I get DNS to work on the switch, for services like Time Servers?
View 7 Replies
View Related
Oct 12, 2011
I got question about Cisco SF300-24P- is it possible to have management vlan in other vlan than in default vlan?I have default vlan 10 and voice vlan 20, I need to reach switch through voice vlan so I need to set up, interface vlan 20 with ip address. I ask these, because in gui, under Management Interface, IPv4 interface,under Management VLAN, I can only choose vlan 10, which is my default vlan, I dont have option to set ,up, in this case, vlan 20 as management vlan.
View 2 Replies
View Related
Dec 26, 2011
Currently, I have a Cisco 4948 in office that connects to a remote site via BGP. From what I am seeing, when connecting a new device to this switchport (we connect devices to this switch for a multicast VLAN that is set up), the BGP link fails after roughly 20-30 seconds. The switchport is not tagged with a VLAN, or any other config. Just a plain old port. This outage continues until the port is added to the mutlicast VLAN.
View 1 Replies
View Related
Mar 1, 2013
I have an SG500 that is already deployed with some Access VLANs on it. The PVID is still the default 1. I am trying to change it to 19 with as little interruption as possible. If I just go to the VLAN Management Tab and change the Default VLAN to 19 and reboot the switch, will it migrate my management IP to the default VLAN without any trouble? Would it be less interruption to: Create VLAN 19, assign it an out of subnet IP address, change a port to PVID 19, connect directly to that port, go to that IP address, remove the original management IP from PVID1, change all the ports to PVID19 then change the management IP back to the original?
View 1 Replies
View Related
May 25, 2011
I currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine?
View 1 Replies
View Related
May 10, 2012
i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply
View 1 Replies
View Related
May 6, 2010
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
!interface GigabitEthernet2/34 switchport mode access ip arp inspection limit rate 30 authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout tx-period 5 dot1x max-reauth-req 6 spanning-tree portfast ip verify source vlan dhcp-snoopingend
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
View 1 Replies
View Related
Sep 23, 2012
I just got my Cisco SG300 28, but I have some problems getting the routing to work. I get the vlans to get to the router, with the default route. But not getting them to talk with each other. I can ping the IPs from the cisco, but I am not getting traffic to go from vlan 1 to vlan 2. When I try to google, it say that it should do it automatically, and I found no setting for it. It looks like it not creating any route for the interfaces.
View 2 Replies
View Related
Dec 12, 2012
Cannot set route map on interface vlan. which in non default vrf on Cisco 3750.IOS c3750-ipservicesk9-mz.122-55.SE.bin sdm prefer route in enable ip vrf users rd 200:0 route-target export 200:0 route-target import 200:0 interface Vlan201 description Users 1 ip vrf forwarding users ip address 10.31.76.1 255.255.252.0 ip helper-address 10.31.4.57 route-map fromuser permit 10 match ip address fromuser set ip next-hop 10.31.128.155 When I enter "ip policy route-map fromuser" to interface Vlan 201 I heve the message:
% Remove VRF configuration from interface Vlan201 first
View 5 Replies
View Related
Jul 27, 2011
We have recently purchased a Cisco SG300 and have been configuring it. [code] The VLANs have ACLs set up to prevent any communication between the Holly and Tempo VLANs (and their associated WAN VLANs).Each VLAN has a WAN available for it's use, which connects to external networks (including the Internet).In order to facilitate this, we have set up all the necessary ACLs and routes and confirmed that this all works.However, the problem comes when we assign the static routes that specify the default gateways.We add the two static routes below:
-0.0.0.0 next hop 10.10.200.254 metric 1
-0.0.0.0 next hop 192.168.200.254 metric 1
In this case, only one of the VLANs has WAN access. It is either Holly or Tempo (it can be either if the order the static route is added is changed).What we need is to force Holly to use Holly WAN and Tempo to use Tempo WAN, but we cannot see a way of doing this.Effectively, we want the following static routes: [code]
View 2 Replies
View Related
Oct 15, 2012
I have created two vlans, vlan 1 data and vlan 200 voice. the issue is that when an on one vlan i cannot ping the default gateway of the othe vlan from my PC. An using sge 2010p switches.
below is my configuration
p route 0.0.0.0 0.0.0.0 192.168.0.1
ip dhcp relay address 192.168.0.100
ip dhcp relay enable
ip dhcp information option
interface vlan 1
ip dhcp relay enable(code )
View 3 Replies
View Related
Jan 6, 2013
I am tring to configure ssh in cisco 4507.After doing so Ican see ssh connection establish from default vlan but getting failed from other vlan.rectify the ssh configuration so that connection estabnlish from any vlan.
View 1 Replies
View Related
May 26, 2013
I have a cisco 876 with, c870-adventerprisek9-mz.124-6.T9.bin. I have configured a VLAN with ID 230, an SVI with IP 192.168.230.1/24 and I have assigned switch port fa 2 to it…
interface Vlan230
ip address 192.168.230.1 255.255.255.0
VLAN ISL Id: 230
[Code]......
View 5 Replies
View Related
Jul 25, 2012
I have a design hurdle that I cannot seem to cross. I have two sites and I need the same VLAN to span both sites. I have accomplished this using L2TP but my issue is that I can no longer assign a gateway for this VLAN on the router. The 2 routers are 2821's and are connected with a dedicated fiber run.
Ant recommendation for how this could be accomplished? It would be great if I could have the same gateway at both sites by leveraging some sort of bridged interface (BVI so I've heard) but I am at a loss as to where I should start with this. Also, this is not the only VLAN that needs to traverse the link.
View 2 Replies
View Related
Jan 28, 2013
Quote from the RV180 manual; 'By default, all access from the insecure WAN side is blocked from accessing the secure LAN, except in response to requests from the LAN or DMZ.'
Does this mean a general access-rule for the firewall blocking all inbound (WAN --> LAN) data is not required?
View 1 Replies
View Related
Nov 16, 2012
I'm trying to implement some best practices for ASA running on Software Release 8.2 and had a question about the default security-level behavior. Let's say I have 3 interfaces...
-inside (security-level 100)
-dmz (security-level 50)
-outside (security-level 0)
I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?
I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?
View 3 Replies
View Related
Dec 8, 2011
I have connected an ASA 5520 firewall DMZ to SERVER (17) vlan in core switch and INSIDE is connected as trunk to the core switch (including vlan 15,18). now the management ip of the switch is 10.xx.xx.126/25. and the other vlans are showing "administratively down"..but if I enter to any of the other vlans and do a "no shut", that particular vlan wil go UP but the other 2 will go down..means only one vlan become up at a time.
View 4 Replies
View Related
Dec 8, 2011
I have connected an ASA 5520 firewall DMZ to SERVER (55) vlan in core switch and INSIDE is connected as trunk to the core switch (including vlan 66,77). now the management ip of the switch is 10.xx.xx.126/25. and the other vlans are showing "administratively down"..but if I enter to any of the other vlans and do a "no shut", that particular vlan wil go UP but the other 2 will go down..means only one vlan become up at a time.
View 1 Replies
View Related
Jul 17, 2011
I have been net searching this question and I find answers relative to other Cisco products but not for the 6500 series. We are running entservicesk9_wan-mz.122-18.SXF17a.bin and would like to know how to change the default SSH listening port..
View 1 Replies
View Related
Jun 2, 2012
I was searching a lot , but I couldn't find any good example, how to configure DHCP server for our wireless clients on Cisco Autonomous AP. I'm looking for example how to configure Dot 11 radios and BVI interfaces.
I have no problem to configure DHCP server on BVI 1 and VLAN 1 ( native VLAN ) interfaces, but there is a problem with other BVI's and VLANs. Maybe this feature isn't supported? Maybe DHCP server feature is supported to work just with default BVI and native VLAN?
View 4 Replies
View Related
