«

Trying to figure this out, and am stumped.

I have an ASA 5505 with 3 VLANs configured.

1 - Outside vlan 1 eth0/0 to internet nat'd
2 - Inside vlan 2 eth0/1 to 10.0.0.x network (ip 10.0.0.1)
3 - Sungard vlan 3 port eth0/2 to 10.0.0.x network (ip 10.0.4.100)

For Vlan's 1 and 2 everything is fine as that was the original
config. I added VLAN3 because I want my clients (pcs) to be able to
failover to and access High availability servers. The gateway to
these servers is 10.0.4.25. So my cisco ISR and ASA eth0/2 are
plugged into the same layer 2 switch, ports 1 and 2(which is managed
and does support VLAN)

When I originally set up the ASA to accomplish this task, I was
sporadically able to ping 10.0.4.25 from the ASA as well as the High
availability servers in the 10.0.2.x range from the ASA. It would
ping but packets would drop, and sometimes no replies at all. The
PC's however were not able to do this.

I called cisco, the guy looked at my ASA config and said it looked
good. He said, what I needed to do was setup a seperate VLAN on my
switch, and plug Vlan3 from the ASA and the eth0/1 ISR port with ip
10.0.4.25 into those designated switch vlans ports, and then the
traffic would be routed by the ASA to the appropriate spots if Traffic
from my PC's (10.0.0.x) range came to their default Gateway of the ASA
(10.0.0.1) looking for 10.0.4.x traffic.

So I am like fine, sounds simple enough. So I setup 2 ports on my
switch in VLAN2 and assigned the VLAN2 an ip of 10.0.4.1.

My PC's (10.0.0.x) and the ASA (10.0.4.100) and the ISR (10.0.4.25)
can all ping the VLAN2 IP (10.0.4.1) of the switch.

Im like great, progress. Well of course one issue is, my 10.0.0.x
traffic still can't ping 10.0.4.x interfaces. Okay, so this sounds
like a trunking problem, I can work on that. (either that or the ASA
isn't routing the traffic whatsoever) I assumed since the Cisco
engineer said everything was good, that it is good to go.

HOWEVER, the big question is, and this is the curve ball, My ASA
(10.0.4.100) cannot ping the ISR (10.0.4.25) which are in the same
VLAN on the switch! (I know the ISR is setup correctly, because I can
ping from my servers with static routes set in windowz to the ISR) I
also have my access list setup correctly on the ASA

pleassseee any insight would be most appreciated, as like we all are,
on a time schedule.


Here is the ASA config

ASA Version 7.2(2)
!
hostname rfgasa
domain-name xxx.com
enable password gVS2wdA63vY9dM4F encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 68.x.x.x 255.255.255.224
!
interface Vlan3
description static route to sungard
nameif sungard
security-level 99
ip address 10.0.4.100 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
description physical sungard static route port
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd jtwS04SN/D4dwlvP encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name rfginc.com
access-list rfg extended permit icmp any any echo-reply
access-list rfg extended permit icmp any any time-exceeded
access-list rfg extended permit icmp any any unreachable
access-list rfg extended permit tcp any host x.x.x.80 eq www
access-list rfg extended permit tcp any host x.x.x.86 eq www
access-list rfg extended permit tcp any host x.x.x.88 eq www
access-list rfg extended permit tcp any host x.x.x.70 eq www
access-list rfg extended permit tcp any host x.x.x.75 eq www
access-list rfg extended permit tcp any host x.x.x.69 eq www
access-list rfg extended permit tcp any host x.x.x.72 eq www
access-list rfg extended permit tcp any host x.x.x.67 eq https
access-list rfg extended permit tcp any host x.x.x.80 eq https
access-list rfg extended permit tcp any host x.x.x.72 eq https
access-list rfg extended permit tcp any host x.x.x.82 eq https
access-list rfg extended permit tcp any host x.x.x.68 eq 3389
access-list rfg extended permit tcp any host x.x.x.71 eq 3389
access-list rfg extended permit tcp any host x.x.x.77 eq 3389
access-list rfg extended permit tcp any host x.x.x.78 eq 3389
access-list rfg extended permit tcp any host x.x.x.76 eq 3389
access-list rfg extended permit tcp any host x.x.x.81 eq 3389
access-list rfg extended permit tcp any host x.x.x..67 eq ssh
access-list rfg extended permit tcp any host x.x.x.79 eq ssh
access-list rfg extended permit tcp any host x.x.x.73 eq 990
access-list rfg extended permit tcp any host x.x.x.74 eq 990
access-list rfg extended permit tcp any host x.x.x.73 eq 10023
access-list rfg extended permit tcp any host x.x.x.74 eq 10039
access-list rfg extended permit tcp any host x.x.x.71 eq smtp
access-list rfg extended permit tcp any host x.x.x.82 eq www
access-list rfg extended permit tcp any host x.x.x.89 eq 3389
access-list rfg extended permit tcp any host x.x.x.83 eq 3389
access-list rfg extended permit tcp any host x.x.x.84 eq 3389
access-list rfg extended permit tcp any host x.x.x.85 eq 3389
access-list rfg extended permit tcp host 10.0.4.100 any
access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0
255.255.255.0
access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0
255.255.255.0
access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.3.0
255.255.255.0
access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.4.0
255.255.255.0
access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0
255.255.255.0
access-list sungard extended permit tcp any any
access-list sungard extended permit icmp any any echo-reply
access-list sungard extended permit icmp any any time-exceeded
access-list sungard extended permit icmp any any unreachable
access-list sungard extended permit icmp any any
pager lines 24
logging enable
logging monitor debugging
logging trap debugging
logging asdm informational
logging host inside 10.0.0.19
logging debug-trace
mtu inside 1500
mtu outside 1500
mtu sungard 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.92-x.x.x.94
global (outside) 1 interface
global (outside) 1 x.x.x.90
global (outside) 1 x.x.x.91
global (sungard) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.80 www 10.0.0.5 www netmask
255.255.255.25
static (inside,outside) tcp x.x.x.86 www 10.0.0.14 www netmask
255.255.255.2
static (inside,outside) tcp x.x.x.88 www 10.0.0.16 www netmask
255.255.255.2
static (inside,outside) tcp x.x.x.70 www 10.0.0.18 www netmask
255.255.255.2
static (inside,outside) tcp x.x.x.75 www 10.0.0.27 www netmask
255.255.255.2
static (inside,outside) tcp x.x.x.69 www 10.0.0.11 www netmask
255.255.255.2
static (inside,outside) tcp x.x.x.72 www 10.0.0.6 www netmask
255.255.255.25
static (inside,outside) tcp x.x.x.82 https 10.0.0.7 https netmask
255.255.25
static (inside,outside) tcp x.x.x.68 3389 10.0.0.9 3389 netmask
255.255.255.
static (inside,outside) tcp x.x.x.71 3389 10.0.0.17 3389 netmask
255.255.255
static (inside,outside) tcp x.x.x.72 https 10.0.0.6 https netmask
255.255.25
static (inside,outside) tcp x.x.x.82 www 10.0.0.7 www netmask
255.255.255.25
static (inside,outside) tcp x.x.x.77 3389 10.0.0.36 3389 netmask
255.255.255
static (inside,outside) tcp x.x.x.78 3389 10.0.0.7 3389 netmask
255.255.255.
static (inside,outside) tcp x.x.x.76 3389 10.0.0.8 3389 netmask
255.255.255.
static (inside,outside) tcp x.x.x.81 3389 10.0.0.4 3389 netmask
255.255.255.
static (inside,outside) tcp x.x.x.79 ssh 10.0.0.7 ssh netmask
255.255.255.25
static (inside,outside) tcp x.x.x.73 990 10.0.0.23 990 netmask
255.255.255.2
static (inside,outside) tcp x.x.x.74 990 10.0.0.5 990 netmask
255.255.255.25
static (inside,outside) tcp x.x.x.74 10039 10.0.0.5 10039 netmask
255.255.25
static (inside,outside) tcp x.x.x.71 smtp 10.0.0.17 smtp netmask
255.255.255
static (inside,outside) tcp x.x.x.73 10023 10.0.0.23 10023 netmask
255.255.2
static (inside,outside) tcp x.x.x.89 3389 10.0.0.95 3389 netmask
255.255.255
static (inside,outside) tcp x.x.x.83 3389 10.0.0.169 3389 netmask
255.255.25
static (inside,outside) tcp x.x.x.84 3389 10.0.0.6 3389 netmask
255.255.255.
static (inside,outside) tcp x.x.x.85 3389 10.0.0.41 3389 netmask
255.255.255
access-group rfg in interface outside
access-group sungard in interface sungard
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route sungard 10.0.2.0 255.255.255.0 10.0.4.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set dynes esp-des esp-md5-hmac
crypto ipsec transform-set cbcco esp-des esp-md5-hmac
crypto ipsec transform-set blair esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set dynes
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.14 type ipsec-l2l
tunnel-group x.x.x.14 ipsec-attributes
pre-shared-key *
tunnel-group DefaultL2Lgroup type ipsec-l2l
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 1440
ssh x.x.x.140 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0

!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
class class_sip_tcp
inspect sip
!
service-policy global_policy global
tftp-server inside 10.0.0.176 TFTP
prompt hostname context
Cryptochecksum:ddcf0bb2275e5337b7edca35fad99809
: end
rfgasa#

thank you for any help.

On Oct 6, 11:56 am, justin_...@yahoo.com wrote:
> Trying to figure this out, and am stumped.
>
> I have an ASA 5505 with 3 VLANs configured.
>
> 1 - Outside vlan 1 eth0/0 to internet nat'd
> 2 - Inside vlan 2 eth0/1 to 10.0.0.x network (ip 10.0.0.1)
> 3 - Sungard vlan 3 port eth0/2 to 10.0.0.x network (ip 10.0.4.100)
>
> For Vlan's 1 and 2 everything is fine as that was the original
> config. I added VLAN3 because I want my clients (pcs) to be able to
> failover to and access High availability servers. The gateway to
> these servers is 10.0.4.25. So my cisco ISR and ASA eth0/2 are
> plugged into the same layer 2 switch, ports 1 and 2(which is managed
> and does support VLAN)
>
> When I originally set up the ASA to accomplish this task, I was
> sporadically able to ping 10.0.4.25 from the ASA as well as the High
> availability servers in the 10.0.2.x range from the ASA. It would
> ping but packets would drop, and sometimes no replies at all. The
> PC's however were not able to do this.
>
> I called cisco, the guy looked at my ASA config and said it looked
> good. He said, what I needed to do was setup a seperate VLAN on my
> switch, and plug Vlan3 from the ASA and the eth0/1 ISR port with ip
> 10.0.4.25 into those designated switch vlans ports, and then the
> traffic would be routed by the ASA to the appropriate spots if Traffic
> from my PC's (10.0.0.x) range came to their default Gateway of the ASA
> (10.0.0.1) looking for 10.0.4.x traffic.
>
> So I am like fine, sounds simple enough. So I setup 2 ports on my
> switch in VLAN2 and assigned the VLAN2 an ip of 10.0.4.1.
>
> My PC's (10.0.0.x) and the ASA (10.0.4.100) and the ISR (10.0.4.25)
> can all ping the VLAN2 IP (10.0.4.1) of the switch.
>
> Im like great, progress. Well of course one issue is, my 10.0.0.x
> traffic still can't ping 10.0.4.x interfaces. Okay, so this sounds
> like a trunking problem, I can work on that. (either that or the ASA
> isn't routing the traffic whatsoever) I assumed since the Cisco
> engineer said everything was good, that it is good to go.
>
> HOWEVER, the big question is, and this is the curve ball, My ASA
> (10.0.4.100) cannot ping the ISR (10.0.4.25) which are in the same
> VLAN on the switch! (I know the ISR is setup correctly, because I can
> ping from my servers with static routes set in windowz to the ISR) I
> also have my access list setup correctly on the ASA
>
> pleassseee any insight would be most appreciated, as like we all are,
> on a time schedule.
>
> Here is the ASA config
>
> ASA Version 7.2(2)
> !
> hostname rfgasa
> domain-name xxx.com
> enable password gVS2wdA63vY9dM4F encrypted
> names
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 10.0.0.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address 68.x.x.x 255.255.255.224
> !
> interface Vlan3
> description static route to sungard
> nameif sungard
> security-level 99
> ip address 10.0.4.100 255.255.255.0
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> description physical sungard static route port
> switchport access vlan 3
> !
> interface Ethernet0/3
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
> passwd jtwS04SN/D4dwlvP encrypted
> ftp mode passive
> dns server-group DefaultDNS
> domain-name rfginc.com
> access-list rfg extended permit icmp any any echo-reply
> access-list rfg extended permit icmp any any time-exceeded
> access-list rfg extended permit icmp any any unreachable
> access-list rfg extended permit tcp any host x.x.x.80 eq www
> access-list rfg extended permit tcp any host x.x.x.86 eq www
> access-list rfg extended permit tcp any host x.x.x.88 eq www
> access-list rfg extended permit tcp any host x.x.x.70 eq www
> access-list rfg extended permit tcp any host x.x.x.75 eq www
> access-list rfg extended permit tcp any host x.x.x.69 eq www
> access-list rfg extended permit tcp any host x.x.x.72 eq www
> access-list rfg extended permit tcp any host x.x.x.67 eq https
> access-list rfg extended permit tcp any host x.x.x.80 eq https
> access-list rfg extended permit tcp any host x.x.x.72 eq https
> access-list rfg extended permit tcp any host x.x.x.82 eq https
> access-list rfg extended permit tcp any host x.x.x.68 eq 3389
> access-list rfg extended permit tcp any host x.x.x.71 eq 3389
> access-list rfg extended permit tcp any host x.x.x.77 eq 3389
> access-list rfg extended permit tcp any host x.x.x.78 eq 3389
> access-list rfg extended permit tcp any host x.x.x.76 eq 3389
> access-list rfg extended permit tcp any host x.x.x.81 eq 3389
> access-list rfg extended permit tcp any host x.x.x..67 eq ssh
> access-list rfg extended permit tcp any host x.x.x.79 eq ssh
> access-list rfg extended permit tcp any host x.x.x.73 eq 990
> access-list rfg extended permit tcp any host x.x.x.74 eq 990
> access-list rfg extended permit tcp any host x.x.x.73 eq 10023
> access-list rfg extended permit tcp any host x.x.x.74 eq 10039
> access-list rfg extended permit tcp any host x.x.x.71 eq smtp
> access-list rfg extended permit tcp any host x.x.x.82 eq www
> access-list rfg extended permit tcp any host x.x.x.89 eq 3389
> access-list rfg extended permit tcp any host x.x.x.83 eq 3389
> access-list rfg extended permit tcp any host x.x.x.84 eq 3389
> access-list rfg extended permit tcp any host x.x.x.85 eq 3389
> access-list rfg extended permit tcp host 10.0.4.100 any
> access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0
> 255.255.255.0
> access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0
> 255.255.255.0
> access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.3.0
> 255.255.255.0
> access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.4.0
> 255.255.255.0
> access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0
> 255.255.255.0
> access-list sungard extended permit tcp any any
> access-list sungard extended permit icmp any any echo-reply
> access-list sungard extended permit icmp any any time-exceeded
> access-list sungard extended permit icmp any any unreachable
> access-list sungard extended permit icmp any any
> pager lines 24
> logging enable
> logging monitor debugging
> logging trap debugging
> logging asdm informational
> logging host inside 10.0.0.19
> logging debug-trace
> mtu inside 1500
> mtu outside 1500
> mtu sungard 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-522.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 x.x.x.92-x.x.x.94
> global (outside) 1 interface
> global (outside) 1 x.x.x.90
> global (outside) 1 x.x.x.91
> global (sungard) 1 interface
> nat (inside) 0 access-list VPN
> nat (inside) 1 10.0.0.0 255.255.255.0
> nat (inside) 1 0.0.0.0 0.0.0.0
> static (inside,outside) tcp x.x.x.80 www 10.0.0.5 www netmask
> 255.255.255.25
> static (inside,outside) tcp x.x.x.86 www 10.0.0.14 www netmask
> 255.255.255.2
> static (inside,outside) tcp x.x.x.88 www 10.0.0.16 www netmask
> 255.255.255.2
> static (inside,outside) tcp x.x.x.70 www 10.0.0.18 www netmask
> 255.255.255.2
> static (inside,outside) tcp x.x.x.75 www 10.0.0.27 www netmask
> 255.255.255.2
> static (inside,outside) tcp x.x.x.69 www 10.0.0.11 www netmask
> 255.255.255.2
> static (inside,outside) tcp x.x.x.72 www 10.0.0.6 www netmask
> 255.255.255.25
> static (inside,outside) tcp x.x.x.82 https 10.0.0.7 https netmask
> 255.255.25
> static (inside,outside) tcp x.x.x.68 3389 10.0.0.9 3389 netmask
> 255.255.255.
> static (inside,outside) tcp x.x.x.71 3389 10.0.0.17 3389 netmask
> 255.255.255
> static (inside,outside) tcp x.x.x.72 https 10.0.0.6 https netmask
> 255.255.25
> static (inside,outside) tcp x.x.x.82 www 10.0.0.7 www netmask
> 255.255.255.25
> static (inside,outside) tcp x.x.x.77 3389 10.0.0.36 3389 netmask
> 255.255.255
> static (inside,outside) tcp x.x.x.78 3389 10.0.0.7 3389 netmask
> 255.255.255.
> static (inside,outside) tcp x.x.x.76 3389 10.0.0.8 3389 netmask
> 255.255.255.
> static (inside,outside) tcp x.x.x.81 3389 10.0.0.4 3389 netmask
> 255.255.255.
> static (inside,outside) tcp x.x.x.79 ssh 10.0.0.7 ssh netmask
> 255.255.255.25
> static (inside,outside) tcp x.x.x.73 990 10.0.0.23 990 netmask
> 255.255.255.2
> static (inside,outside) tcp x.x.x.74 990 10.0.0.5 990 netmask
> 255.255.255.25
> static (inside,outside) tcp x.x.x.74 10039 10.0.0.5 10039 netmask
> 255.255.25
> static (inside,outside) tcp x.x.x.71 smtp 10.0.0.17 smtp netmask
> 255.255.255
> static (inside,outside) tcp x.x.x.73 10023 10.0.0.23 10023 netmask
> 255.255.2
> static (inside,outside) tcp x.x.x.89 3389 10.0.0.95 3389 netmask
> 255.255.255
> static (inside,outside) tcp x.x.x.83 3389 10.0.0.169 3389 netmask
> 255.255.25
> static (inside,outside) tcp x.x.x.84 3389 10.0.0.6 3389 netmask
> 255.255.255.
> static (inside,outside) tcp x.x.x.85 3389 10.0.0.41 3389 netmask
> 255.255.255
> access-group rfg in interface outside
> access-group sungard in interface sungard
> route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
> route sungard 10.0.2.0 255.255.255.0 10.0.4.25 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
> disconnect 0:02:00
> timeout uauth 0:05:00 absolute
> username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
> aaa authentication ssh console LOCAL
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set dynes esp-des esp-md5-hmac
> crypto ipsec transform-set cbcco esp-des esp-md5-hmac
> crypto ipsec transform-set blair esp-des esp-md5-hmac
> crypto dynamic-map cisco 1 set transform-set dynes
> crypto map dyn-map 20 ipsec-isakmp dynamic cisco
> crypto map dyn-map interface outside
> crypto isakmp identity address
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption des
> hash md5
> group 1
> lifetime 86400
> crypto isakmp nat-traversal 20
> tunnel-group DefaultL2LGroup ipsec-attributes
> pre-shared-key *
> isakmp keepalive disable
> tunnel-group x.x.x.2 type ipsec-l2l
> tunnel-group x.x.x.2 ipsec-attributes
> pre-shared-key *
> tunnel-group x.x.x.14 type ipsec-l2l
> tunnel-group x.x.x.14 ipsec-attributes
> pre-shared-key *
> tunnel-group DefaultL2Lgroup type ipsec-l2l
> telnet 10.0.0.0 255.255.255.0 inside
> telnet timeout 1440
> ssh x.x.x.140 255.255.255.255 outside
> ssh 0.0.0.0 0.0.0.0 outside
> ssh timeout 60
> console timeout 0
>
> !
> class-map class_sip_tcp
> match port tcp eq sip
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect rsh
> inspect rtsp
> inspect sqlnet
> inspect sunrpc
> inspect xdmcp
> inspect netbios
> class class_sip_tcp
> inspect sip
> !
> service-policy global_policy global
> tftp-server inside 10.0.0.176 TFTP
> prompt hostname context
> Cryptochecksum:ddcf0bb2275e5337b7edca35fad99809
> : end
> rfgasa#
>
> thank you for any help.

nevermind. im a monkey.

first mistake. um, switchport counts go vertical, top to bottom to
the right.

second mistake. made switchport 1 a trunk port (plugged into ASA)
made switchport 3!!!!!!!! an access port (plugged into the ISR)!!!

its miller time