ASA 5510 Dynamic NAT on Sub-Interfaces

Unanswered Question
May 15th, 2010

Hi,

I have an ASA 5510 that was originally setup with no VLANs.  I have a SIP telephone system on the inside interface.  I have now added two sub-interfaces to the inside interface for seperate VLANs as shown below.



!

interface Ethernet0/0

nameif outside

security-level 0

ip address ***.***.***.*** 255.255.255.***

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.*** 255.255.255.0

!

interface Ethernet0/1.2

vlan 10

nameif inside2

security-level 100

ip address 172.***.***.*** 255.255.0.0

!

interface Ethernet0/1.3

vlan 100

nameif inside_Private

security-level 90

ip address 192.168.16.*** 255.255.255.0

!


Ethernet0/0 and 0/1 where originally setup then I have added ethernet0/1.2 and 1.3


Dynamic NAT rules where also setup on the inside interface as follows:


nat (inside) 1 0.0.0.0 0.0.0.0


I then added the same for the other inside interfaces:


nat (inside2) 1 0.0.0.0 0.0.0.0

nat (inside_Private) 1 0.0.0.0 0.0.0.0


which seems to work fine, i can access the internet from all inside interfaces (depending on firewall rules of course)


The problem is that when i add the dynamic NAT rules for inside2 and inside_Private it breaks the incoming SIP from getting to the asterisk box.  As soon as i remove them it works again.

Is this due to having untagged traffic with the inside interface, do i need to create a new sub-interface to be used instead, so i would have Ethernet0/1.1, Ethernet0/1/2 and Ethernet0/1.3 and then remove the IP from Ethernet0/1 ?  If this is the case then what is the best way to change this as i have alot of firewall rules setup on this interface that would need moving over.


Thanks

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Tue, 05/18/2010 - 12:02

If you are going to split your physical interface to VLAN or sub-interfaces you should not have an IP address in your eth 0/1

That interface should not have  any configuration. No name no sec level.. So go ahead and create the 0/1.1

Actions

This Discussion

Related Content