Routing between interfaces on ASA

Unanswered Question
May 21st, 2008
User Badges:

Hi,


I have an ASA with three interfaces: inside, outside and otherlan. On altralan there's an EhternetDevice that must be reached from inside, but not from outside.


The relevant part of configuration is:


name A.B.C.D EthernetDevice

!

interface Vlan1

nameif inside

security-level 100

ip address X.Y.Z.T 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address IP-PUBBLICO NETMASK

!

interface Vlan3

nameif otherlan

security-level 50

ip address A.B.C.E 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 3

!

[...]

access-list otherlan_access_in extended permit ip host EthernetDevice X.Y.Z.0 255.255.255.0

access-list inside_access_list extended permit ip X.Y.Z.0 255.255.255.0 host EthernetDevice

global (outside) 1 interface

global (otherlan) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,otherlan) EthernetDevice EthernetDevice netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group otherlan_access_in in interface otherlan

route outside 0.0.0.0 0.0.0.0 X.Y.Z.T 1


EthernetDevice has an embedded HTTP server, which is working, i.e. from a pc on otherlan it's reachable, and it has A.B.C.E as default gateway.


The problem is that I can't reach it from a pc on inside lan, and on ASA log I have the following error:


portmap translation creation failed for tcp src inside:X.Y.Z.P/2461 dst altralan:EthernetDevice/80


I've also tried to use:


global (otherlan) 2 X.Y.Z.4-X.Y.Z.10 netmask 255.255.255.0


and try to reach from a PC whose IP is in the pool, but no luck too.


What is wrong / haven't I understood ?


Thanks in advance


Ciao

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mike-greene Thu, 05/22/2008 - 07:08
User Badges:
  • Bronze, 100 points or more

Hi,

I think this static is wrong..

static (inside,otherlan) EthernetDevice EthernetDevice netmask 255.255.255.255


It should be


static (inside,otherlan) X.Y.Z.T X.Y.Z.T netmask 255.255.255.0


HTH


smitty6504 Thu, 05/22/2008 - 07:55
User Badges:

This is a limitation of the ASA. You can not have 2 active routes to the outside. You can have a primary link to the outside and a backup link that monitors the interface for an outage.

Actions

This Discussion