ASA sub interface with Catalyst 6509-E

Unanswered Question
May 1st, 2009
User Badges:
  • Bronze, 100 points or more

Hi


I am facing a strange issue with my configuration on ASA with Catalyst. I had configured a sub-interface on the ASA below is the configuration


Interface Gigabitethernet 0/1.666

vlan 666

nameif Internet_VLAN

security-level 50

ip address 192.168.201.253 255.255.255.0


nat (Internet_VLAN) 2 192.168.201.0 255.255.255.0

global (outside) 2 1.2.3.4


and on the Catalyst 6509 I created the same Vlan and configure the trunk port connecting the ASA inside interface as below


Interface Gigabitethernet 2/12

switchport trunk encapulation dot1q

switchport trunk allowed vlan 1,666

swtichport mode trunk


Interface Vlan 666

ip address 192.168.201.254 255.255.255.0


i am able to ping the sub-interface IP on the asa and vice-versa also when configured a workstation with the same subnet IP it can ping the switch VLAN IP as well as ASA sub-interface.


but when I try to browse the internet the syslog does not show any entry so that I can further identify that which part on the ASA is denying the traffic.


I tried to use the packet-tracer on the ASA and see that where does the packet gets a deny, at first it showed that the packet is denied by outside interface so I configured the outside Access-list accordingly, and the syslog showed the hits appropriately. Then it showed that there is a no translation group for the returning traffic to the ASA, syslog showing the hits again...


Therefore, I have two questions


1. why the syslog not showing hits when I browse the internet from the workstation and does when I am using the packet-tracer

2. what's with this translation group error, the other subnet which is configured on the inside interface g0/0 works just fine (I mean emp can browse internet and all) it has the same kind of configuration as sub-interface


just one more to add I am using the DNS which is an outside the firewall or you can say it ISP DNS, could it be that when I browse it's the DNS which sends the requests to the ASA and I am filtering the workstation IP instead, thats why it's not appearing in my syslog...it could be? rite


because when I ping from the station I see hits..


any help would be great help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion