I have an ASA 5510. I have two internal networks: 192.168.1.0/24 is connected directly to the ASA. 192.168.10.0/24 is connected to 192.168.1.0/24 via a Cisco 1811 router. I would like both internal networks to be able to communicate with each other. As soon as I put the ASA into the picture neither network can communicate with each other. I found the information that informs to add “same security traffic permit intra-interface” which I have done. Next I get packets denied by the ACL. I add the ACL to allow the traffic and now I am getting two errors:
- portmap translation creation failed for udp src Internal:A-192.168.1.34/53 dst Internal:192.168.10.11/53761
- No matching connection for ICMP error message: icmp src Internal:A-192.168.1.15 dst Internal:192.168.10.11 (type 3, code 3) on Internal interface. Original IP payload: udp src 192.168.10.11/53761 dst A-192.168.1.15/53
I assume it needs some sort of NAT statement? I am very new to Cisco and I am not sure what NAT to add. Also, I guess I am also confused. I would think that since the 192.168.10/0 network in not attached to the firewall and not trying to reach the internet (at this point) that the ASA would not be monitoring the traffic.
Knowing that the one subnet is typically a guest/shared PC subnet makes the ASA a great option -- you'll be able to keep your guests and conference room PC's seperated from the rest of the network.
Good luck with your deployment.