Routing – No Access to Cisco ESA from Different VLAN

ciscoironportroutingsubnetvlan

I am in the process to migrate to separate Vlans from a single 10.1.0.0/16 subnet on VLAN1

In the existing /16 subnet is our Cisco Mail Security (ESA).

In a new Vlan Segment for clients (10.101.10.0/24, VLAN6 ) I can do pretty much everything but access the ESA. No ping and also no access via HTTP(s).
Other servers and services are fully accessible like from VLAN1

The Cisco support said there is no issue on the config for the ESA.

The network is fully Cisco.

Network/IP interfaces setting of ESA:

10.1.30.188/16

I also tried adding a separate NIC with config 10.101.10.250/24, but it did not solve anything

Vlan config on Coreswitch:

show run interface vlan 1
interface Vlan 1
ip address 10.1.0.253 255.255.0.0
end

show run interface vlan 6
!
interface Vlan 6
description LAN-Clients
ip address 10.101.10.253 255.255.255.0
ip helper-address 10.1.30.84
no ip route-cache
end

Network

The FW is a Cisco ASA 5508-X

the problem also applies from VLAN8 test Virtual Machines on same hypervisor.
The management of the Cisco ASA is externally managed.

This is a ping test from Coreswitch:

CiscoCORE#ping 10.1.30.188
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.30.188, timeout is 2 seconds:
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

CiscoCORE#ping 10.1.30.188 source vlan8
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.30.188, timeout is 2 seconds:
Packet sent with a source address of 10.8.0.253
…..

Success rate is 0 percent (0/5)

where could be the issue?

Update:
thanks to the comment of @Tero Kilkanen I added some infos and tests. I did not think of a possible problem on ASA side yet, but it may be the point to look

Update:
I finally did it.
Upon re-checking the IP interfaces (I had also created an Interface wiht IP in VLAN6 of course) I tried creating it via SSH (with the same settings)

Afterwards I could access it from Vlan6
Maybe the IP interface has to be created via SSH instead of Web GUI. I did not set anything different

Best Answer

Like written at the end of the initial post, the problem was resolved by configuring the IP interface via SSH instead of via Web GUI

The settings were exactly the same and simple (IP / GW / Hostname / Ports / Interface)

I had assumed I did not have to do anything, since the Cisco support took several hours over many days to examine it.

Related Topic