I've having a problem, where my Cisco ASA 5510-v8.2 can't communicate with VM's in a VLAN specific port group.
The Cisco ASA is currently sitting in front of a group of VM's that have public IP's. That part needs to stay the same. In addition, I've got a software firewall (pfSense, leftover from before the Cisco ASA was in place) running as a VM, with a public IP, as well as an IP on the 172.29/24 subnet. What I'd like to do, in the end goal, is remove the software firewall, and have the 172.29/24 network, as well as the public IP's, all accessible via the Cisco ASA.
Physical setup:
Cicso ASA 5510v8.2 <--- single ethernet ---> NIC/Server running VMWare ESXi 5.5
Logical setup:
ASA
Interfaces --> Ethernet 0/0 Public
\-> Ethernet 0/1 Internal (currently has public IP, and acts as a gateway for a sub-net of public IP's) (native)
\-> Ethernet 0/1.1 VLan-Passthrough Public IP's (vlan 1) (currently disabled)
\-> Ethernet 0/1.29 VLan-172.29 172.29.0.250 (vlan 29) (currently disabled)
Static Routes -> Internal: 172.29/24, gateway: software router
ESXi
vmnic1 --> vSwitch0 --> Port Group: Public Passthru (currently vlan 4095)
--> Port Group: Management Network (native)
--> Port Group: Vlan-172.29 (vlan 29)
Obviously the current configuration will not fulfill my end goal. However, it's keeping things running. Did I mention this is a live environment?
Things I've tried, to drop the software firewall out of the mix;
- I enabled the Ethernet0/1.29 interface on the ASA, with the IP of 172.29.0.250, and removed the static route pointing the 172.29/24 to the software firewall. Theoretically (or at least I thought) this should put the ASA directly on VLAN-29, and thus be able to directly access the VM's via the VLAN-29 Port Group. FAILED. No communication either direction.
- I changed the Public Passthru port group from VLAN-0, to VLAN-1. Then I removed the name/ip from the Ethernet0/1 interface (leaving it enabled), and brought up the Ethernet0/1.1 interface on VLAN-1. Not only was I still not able to connect to anything on the VLAN-29 port group, now I wasn't able to connect to anything on the VLAN-1 port group either.
Traffic between two or more hosts connected on the same interface, is enabled. There is no NAT'ing going on at the ASA level (yet, one headache at a time). And as far as I can tell, I've got complete unrestricted access to and from the internal, vlan-Public, and vlan 172.29 interfaces for both IP, and ICMP. However, in this configuration, NOTHING is visible between the ASA and the hypervisor.
To bring things back to working for production today, I had to disable the Ethernet0/1.1 (vlan-1) interface, restore the Ethernet0/1 (native) interface, and change the PublicPasthru port group to VLAN-4095 (native no longer worked for this port group?). I also restored the static route, so I know the ASA can talk to the 172.29/24 subnet, which will be needed when I bring up a site-to-site ipsec here in a couple days.
Help! Can anyone point me in the right direction towards getting the ASA, and ESXi VLAN's communicating?
As always, thanks in advance!
