Subinterfaces won't communicate and only one subnet can NAT.

Unanswered Question
Oct 28th, 2008

I have an ASA5510 which I have setup with subinterfaces on e0/0. I have had one subinterface working for sometime with PAT but I have recently added a new subinterface. I have set both of them to the same security level and I have enabled both same-security-traffic permit inter-interface

& same-security-traffic permit intra-interface. I thought the intra-interface should have done it but I guess I was wrong. The weird thing is that I have setup dhcprelay and I can get an address from the server that is located on the network connected to the other subinterface.

Also I can't seem to get NAT working with any other network except the network. I have mimicked the configuration I setup for the network and I get errors stating there is no translation group for 192.168.31.x.

I attached the config in hopes that someone will point out my mistakes.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Chuan Liu Sat, 11/29/2008 - 11:08


Have you got any solutions?

I am having similar problems with the ASA5510. I created a new subinterface and connected one host. I can ping the new host from the ASA. But I cannot ping it from any other existing directly connected hosts, even though I have ACL 'permit any any' on 'in and out' directions. Capture shows ICMP hits the incoming interface, but not the outgoing interface to the new host. When I put the capture type in 'asp-drop', it shows the packets are dropped. So, the ASA is simply dropping the packets to the new subnet.

There are 10 existing subinterfaces on this ASA and they have been all working fine for years. The ASA supports 100 vlans.

Any advice is appreciated.

kymera-it Sat, 11/29/2008 - 20:22

I got it working but I had to turn off nat-control. Once I did that I got it working. With subinterfaces of different security levels. I have yet to test it out on same security level subinterfaces. I plan on working on that this week so I will post back if there was anything special that I had to do.

Chuan Liu Sat, 11/29/2008 - 23:12


In my ASA, nat control has never been turned on. I configured the new subinterface exactly the same as existing ones except ip address and security level. I still have no luck.

Thanks for your reply.

kymera-it Sun, 11/30/2008 - 16:30

Did you create access-lists that allow the desired between the different subinterfaces of different security levels and then assign the access-list using an access-group? If the security level of the source int is lower then the destination int then you need to apply an access list that allows traffic going into the source int to go to the destination.


This Discussion