I am in the process to migrate to separate Vlans from a single 10.1.0.0/16 subnet on VLAN1
In the existing /16 subnet is our Cisco Mail Security (ESA).
In a new Vlan Segment for clients (10.101.10.0/24, VLAN6 ) I can do pretty much everything but access the ESA. No ping and also no access via HTTP(s).
Other servers and services are fully accessible like from VLAN1
The Cisco support said there is no issue on the config for the ESA.
The network is fully Cisco.
Network/IP interfaces setting of ESA:
10.1.30.188/16
I also tried adding a separate NIC with config 10.101.10.250/24, but it did not solve anything
Vlan config on Coreswitch:
show run interface vlan 1
interface Vlan 1
ip address 10.1.0.253 255.255.0.0
end
show run interface vlan 6
!
interface Vlan 6
description LAN-Clients
ip address 10.101.10.253 255.255.255.0
ip helper-address 10.1.30.84
no ip route-cache
end
The FW is a Cisco ASA 5508-X
the problem also applies from VLAN8 test Virtual Machines on same hypervisor.
The management of the Cisco ASA is externally managed.
This is a ping test from Coreswitch:
CiscoCORE#ping 10.1.30.188
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.30.188, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CiscoCORE#ping 10.1.30.188 source vlan8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.30.188, timeout is 2 seconds:
Packet sent with a source address of 10.8.0.253
.....
Success rate is 0 percent (0/5)
where could be the issue?
Update:
thanks to the comment of @Tero Kilkanen I added some infos and tests. I did not think of a possible problem on ASA side yet, but it may be the point to look
Update:
I finally did it.
Upon re-checking the IP interfaces (I had also created an Interface wiht IP in VLAN6 of course) I tried creating it via SSH (with the same settings)
Afterwards I could access it from Vlan6
Maybe the IP interface has to be created via SSH instead of Web GUI. I did not set anything different
