VLan not communicating to network

Unanswered Question

I have a VLan setup in my network of 192.199.1.xxx i have this complete with a port on my ASA 5501 ( it seems that i can get communitations to the firewall but the firewall is dropping traffic and not allowing any internet traffic to pass. Any ideas?

If i have this in the wrong location please let me know.

Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
i-kendall Tue, 04/01/2008 - 08:22
User Badges:

The ASA needs to have nat configured (even if you don't want the addreses changed it still needs nat configuration, just tell it not to nat), and access lists if the security levels are lower on this interface than where it is going.

Post the ASA config and I should be able to help more if you need it.

This was probably better in the Security section, but don't worry, we can answer it here.



srue Tue, 04/01/2008 - 08:25
User Badges:
  • Blue, 1500 points or more

The ASA by default doesn't require NAT to pass traffic (like the PIX'es did, with 6.3 and before).

see command "nat-control"

post the output of "show run nat" and "show run global" and "show run nat-control"

i-kendall Tue, 04/01/2008 - 11:29
User Badges:

Ok, but he said he was accessing the Internet, so he would need NAT.

Posting a copy of the config would be useful here, then we can see what you are trying to acieve.



Ok what i am trying to do is have 2 domains each have there on network but use the same firewall as there gateway. i thought i had configured this by setting interface 2 up as the with my switches taking care of the VLAN. With that being said the 192.199.1.xxx and the 172.16.xxx.xxx network will still need to access each other but only on the file sharing level.



Ok useing the information from this post i found that i do have a nat group setup of "101" for the interface of my VLan. This is the command that i use to correct this issue. "nat (mci_domain) 101" this allowed my test computer to access the internet as it should. Now for the next issue that i have found is i still need to have access to the 172.16.xxx.xxx network. i have check my ASA and i am allowing traffic to pass on same security level interfaces.


i-kendall Tue, 04/01/2008 - 12:14
User Badges:

This might be old school, but try the following to turn of nat between inside and dmz

First clear out the commands that we do not need.

no global (inside) 101 interface

no global (DMZ) 101 interface

no static (inside,inside) netmask

no static (inside,inside) netmask

no static (inside,DMZ) netmask

access-list No-Nat permit ip any

access-list No-Nat permit ip any

nat (inside) 0 access-list No-Nat

nat (DMZ) 0 access-list No-Nat

Then do a 'clear xlate' and test again. See how you go and let us know the result.




If i remove my nat statements will that affect traffic that is flowing between the dmz and the subnet. (which would me im going to get killed because this is valid traffic.)

As it stands right now the only traffic that i can not pass is traffic from 192.199.xxx.xxx to the 172.16.xxx.xxx domain.


i-kendall Tue, 04/01/2008 - 14:49
User Badges:


I am a little confused. There is no mention of the 192.199.x.x network in the config you posted. Where is this network located ? Maybe you are just missing a route statement ?

Please clarify.




This Discussion