cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
747
Views
0
Helpful
9
Replies

VLan not communicating to network

sbohannan
Level 1
Level 1

I have a VLan setup in my network of 192.199.1.xxx i have this complete with a port on my ASA 5501 (192.199.1.254) it seems that i can get communitations to the firewall but the firewall is dropping traffic and not allowing any internet traffic to pass. Any ideas?

If i have this in the wrong location please let me know.

Thank you

Shane

9 Replies 9

i-kendall
Level 1
Level 1

The ASA needs to have nat configured (even if you don't want the addreses changed it still needs nat configuration, just tell it not to nat), and access lists if the security levels are lower on this interface than where it is going.

Post the ASA config and I should be able to help more if you need it.

This was probably better in the Security section, but don't worry, we can answer it here.

Regards,

Iain

The ASA by default doesn't require NAT to pass traffic (like the PIX'es did, with 6.3 and before).

see command "nat-control"

post the output of "show run nat" and "show run global" and "show run nat-control"

Ok, but he said he was accessing the Internet, so he would need NAT.

Posting a copy of the config would be useful here, then we can see what you are trying to acieve.

Regards,

Iain

Ok what i am trying to do is have 2 domains each have there on network but use the same firewall as there gateway. i thought i had configured this by setting interface 2 up as the 192.199.1.254 with my switches taking care of the VLAN. With that being said the 192.199.1.xxx and the 172.16.xxx.xxx network will still need to access each other but only on the file sharing level.

Shane

Ok useing the information from this post i found that i do have a nat group setup of "101" for the interface of my VLan. This is the command that i use to correct this issue. "nat (mci_domain) 101 0.0.0.0 0.0.0.0" this allowed my test computer to access the internet as it should. Now for the next issue that i have found is i still need to have access to the 172.16.xxx.xxx network. i have check my ASA and i am allowing traffic to pass on same security level interfaces.

Shane

This might be old school, but try the following to turn of nat between inside and dmz

First clear out the commands that we do not need.

no global (inside) 101 interface

no global (DMZ) 101 interface

no static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

no static (inside,inside) 10.1.0.0 172.16.0.0 netmask 255.255.0.0

no static (inside,DMZ) 172.16.3.13 172.16.3.13 netmask 255.255.255.255

access-list No-Nat permit ip any 172.16.0.0 255.255.0.0

access-list No-Nat permit ip any 10.10.10.0 255.255.255.0

nat (inside) 0 access-list No-Nat

nat (DMZ) 0 access-list No-Nat

Then do a 'clear xlate' and test again. See how you go and let us know the result.

Regards,

Iain

Lain,

If i remove my nat statements will that affect traffic that is flowing between the dmz and the 192.168.0.0 subnet. (which would me im going to get killed because this is valid traffic.)

As it stands right now the only traffic that i can not pass is traffic from 192.199.xxx.xxx to the 172.16.xxx.xxx domain.

shane

Shane,

I am a little confused. There is no mention of the 192.199.x.x network in the config you posted. Where is this network located ? Maybe you are just missing a route statement ?

Please clarify.

Regards

Iain

The 192.199.x.x network should be ethernet0/2. this is should be a different network than ethernet0/1. i do feel like i am missing a routing statement, but if i am allowing traffic to pass on the same security level interfaces the ASA should take care of that statement right.

shane

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco