Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
1
Replies

Need help with VLans, subinterfaces, and NAT on 5506-X

adam.stadnick
Level 1
Level 1

‎11-21-2016 01:28 PM - edited ‎03-12-2019 01:33 AM

Hey everyone. I've been wrestling with this for a while and I'm out of ideas.

I have a virtual machine that is intended to be a web-facing server. It is segregated on its own VLan, which is handled by a Cisco 2960XR Layer 3 switch. The traffic is sent to a subinterface on our 5506-X firewall.

VM -> Layer 3 switch -> ASA subinterface -> ASA 'inside' interface -> Traffic stops here -> Outside interface

I can ping back and forth from the VM to the subinterface IP as well as the 'master' inside interface IP with no problems, however I can't get the server to talk outside at all. However traffic on the primary network (native VLAN) can access the Internet fine.

I have been reading conflicting documentation and forum threads for over a day now so I'm beyond confused.

To start with, I need help getting this VM to talk to the Internet. Afterwards I may need help getting inbound traffic pointed at the VM, although I think I can handle that part.

Here are my NAT config lines including the NAT for our site to site VPN over two ISP links:

nat (inside,outside) source static Site1-inside Site1-inside destination static vpn vpn no-proxy-arp route-lookup
nat (inside,outside2-Comcast) source static Site1-inside Site1-inside destination static Site2-Inside Site2-Inside no-proxy-arp route-lookup
nat (inside,outside2-Comcast) source static Site1-inside Site1-inside destination static vpn vpn no-proxy-arp route-lookup
nat (inside,outside) source static Site1-inside Site1-inside destination static Site2-Inside Site2-Inside no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
object network obj_any2
 nat (any,outside2-Comcast) dynamic interface

I don't believe this is a security issue as I am running into the spectacularly unhelpful 'routing failed to locate next hop' error if I try to ping out:

6 Nov 21 2016 16:20:11 110003 8.8.8.8 0 IPOFVMONVLAN 1 Routing failed to locate next hop for ICMP from outside2-Comcast:8.8.8.8/0 to inside:IPOFVMONVLAN/1

And again pinging out on the main interface works fine, and ICMP inspection is on.

I have deleted my NAT statements pertaining to this VLAN as I no longer have any idea what I had that was good and what was bad. My last attempt was:

nat (VL0254,outside2-Comcast) static obj_any

(obj_any is 0.0.0.0 with a mask of 0.0.0.0)

I also tried several other variations, including specifying the VM's IP directly and specifying 8.8.8.8 directly but still can't get it to work. I have also tried route-lookup on each variation with no change.

I would appreciate any help, and if you're feeling REALLY nice also an explanation of what I'm doing wrong.

Thanks!

Labels:
0 Helpful
1 Reply 1

adam.stadnick
Level 1
Level 1

‎11-30-2016 08:24 AM

Figured it out with some help. I overcomplicated things quite a bit. Moved the VL interface to a dedicated port and set that IP as the gateway on the VM and everything's working now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card