Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding a second subnet on ASA 5505 with Security Plus License

We recently upgraded a ASA 5505 with the security plus license to allow us to add a second subnet, but are having a few problems configuring the second subnet.  The original subnet we have configured 10.1.1.0 is able to access the internet without any problems.  However the new subnet 10.1.5.0 is unable to access the internet and when we ran a trace packet the nat config nat (inside) 1 0.0.0.0 0.0.0.0 is showing as the rule that drops the packet.

Additionally we have not been able to get the 2 subnets to talk to each other even though same-security-traffic permit inter-interface is configured.  Any suggestions on configuring the subnet 10.1.5.0 to access the internet or to get the subnets to communicate would be appreciated.  Below is a streamlined version of our current config.

Thanks,

KJ

!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 66.66.66.66 255.255.255.240
ospf cost 10
!
interface Vlan13
nameif corporate
security-level 100
ip address 10.1.5.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/5
switchport access vlan 13
speed 100
duplex full
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup corporate
dns server-group DefaultDNS
name-server 10.1.1.10
domain-name test.com
same-security-traffic permit inter-interface
object-group service rdp tcp
description Remote Desktop Protocol
port-object eq 3389
object-group service rsync tcp
description rsync
port-object eq 873
object-group service smb tcp
description smb
port-object eq netbios-ssn
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit tcp any any object-group rsync
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any object-group smb
access-list out_in extended permit tcp any interface outside eq 3389
access-list AXEMP_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list inside_access_in extended permit icmp any any inactive
access-list inside_access_in extended permit tcp any any object-group rsync
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any object-group smb
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list corporate_access_in extended permit icmp any any inactive
access-list corporate_access_in extended permit tcp any any object-group rsync
access-list corporate_access_in extended permit ip any any
access-list corporate_access_in extended permit tcp any any object-group smb
access-list corporate_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.224
access-list corporate_nat0_outbound extended permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu corporate 1500
ip local pool AXVPNPool 10.1.1.200-10.1.1.210 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface corporate
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (corporate) 0 access-list corporate_nat0_outbound
nat (corporate) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group corporate_access_in in interface corporate
route outside 0.0.0.0 0.0.0.0 63.135.165.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
console timeout 0
!

Everyone's tags (4)
15 REPLIES

Adding a second subnet on ASA 5505 with Security Plus License

Hello,

Provide the following please.

packet-tracer input corporate tcp 10.1.5.15 1025 4.2.2.2 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Adding a second subnet on ASA 5505 with Security Plus License

Result of the command: "packet-tracer input corporate tcp 10.1.5.101 1025 4.2.2.2 80"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group corporate_access_in in interface corporate
access-list corporate_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any outside any
    dynamic translation to pool 1 (63.135.165.98 [Interface PAT])
    translate_hits = 3, untranslate_hits = 0
Additional Information:
Dynamic translate 10.1.5.101/1025 to 63.135.165.98/21960 using netmask 255.255.255.255

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 326, untranslate_hits = 0
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 183492, packet dispatched to next module

Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 63.135.165.97 using egress ifc outside
adjacency Active
next-hop mac address 001e.4a54.42cd hits 551390

Result:
input-interface: corporate
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Adding a second subnet on ASA 5505 with Security Plus License

hello,

See everything seems to be fine.

So no connectivity between Corporate and outside.

Do you have already a DNS server applied to an Corporate user? Can I have the Ip of one of them?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Adding a second subnet on ASA 5505 with Security Plus License

The DNS server is actually sitting in the 10.1.1.0 subnet.  Therefore the fact the 10.1.1.0 and 10.1.5.0 subnets are not talking could be related to why the 10.1.5.0 machines can not access the internet.

Adding a second subnet on ASA 5505 with Security Plus License

That is the problem,without DNS you will not go out!

Please provide:

packet-tracer input corporate udp  10.1.5.101 1025 10.1.1.15 53

packet-tracer input inside tcp 10.1.1.15 1025 10.1.5.101 80

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Adding a second subnet on ASA 5505 with Security Plus License

Appreciate the help jcarvaja. Here is the information requested.

packet-tracer input corporate udp  10.1.5.101 1025 10.1.1.89 53

Result of the command: "packet-tracer input corporate udp  10.1.5.101 1025 10.1.1.89 53"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.1.0        255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group corporate_access_in in interface corporate

access-list corporate_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip corporate 10.1.5.0 255.255.255.0 inside 10.1.1.0 255.255.255.0

    NAT exempt

    translate_hits = 2997, untranslate_hits = 4

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (corporate) 1 0.0.0.0 0.0.0.0

  match ip corporate any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 326, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (corporate) 1 0.0.0.0 0.0.0.0

  match ip corporate any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 326, untranslate_hits = 0

Additional Information:

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any corporate any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 4, untranslate_hits = 0

Additional Information:

Result:

input-interface: corporate

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

packet-tracer input inside tcp 10.1.1.89 1025 10.1.5.101 80

Result of the command: "packet-tracer input inside tcp 10.1.1.89 1025 10.1.5.101 80"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.5.0        255.255.255.0   corporate

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp 63.135.165.110 12356 COMP 3389 netmask 255.255.255.255

  match tcp inside host COMP eq 3389 outside any

    static translation to 63.135.165.110/12356

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any corporate any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 5, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: corporate

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Adding a second subnet on ASA 5505 with Security Plus License

Hello,

To solve the problem add the following:

global (inside) 1 interface

global (corporate) 1 interface

Do rate all the helpful posts!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Adding a second subnet on ASA 5505 with Security Plus License

I thought the following would have covered the setup for ASA version 7.2(4).

global (inside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (corporate) 0 access-list corporate_nat0_outbound

nat (corporate) 1 0.0.0.0 0.0.0.0

I can try to recommended changes tonight.

Adding a second subnet on ASA 5505 with Security Plus License

Hello,

Yeap, but the ASA is not taking that, it is an estranged behavior.

Please give it a try with that and keep us inform!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Adding a second subnet on ASA 5505 with Security Plus License

If the above recommendation fails.  Do you believe the following might help the subnets talk?

static (inside,corporate) 10.1.1.0 10.1.5.0 netmask 255.255.255.0
static (corporate,inside) 10.1.5.0 10.1.1.0 netmask 255.255.255.0

Adding a second subnet on ASA 5505 with Security Plus License

Hello,

Yeap, that also do it, but as we can see on the packet tracer the ASA is dropping the packets are there is no matching global.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Adding a second subnet on ASA 5505 with Security Plus License

Still not able to ping of access the machines between subnets after adding the global commands.  Here are the updated packet tracer results.

Result of the command: "packet-tracer input corporate udp  10.1.5.100 1025 10.1.1.89 53"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.1.0        255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group corporate_access_in in interface corporate
access-list corporate_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
service-policy global_policy global
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip corporate 10.1.5.0 255.255.255.0 inside 10.1.1.0 255.255.255.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
    translate_hits = 10, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
    translate_hits = 10, untranslate_hits = 0
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any corporate any
    dynamic translation to pool 1 (10.1.5.1 [Interface PAT])
    translate_hits = 6, untranslate_hits = 0
Additional Information:

Result:
input-interface: corporate
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Result of the command: "packet-tracer input inside tcp 10.1.1.89 1025 10.1.5.100 80"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.5.0        255.255.255.0   corporate

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 63.135.165.110 12356 Ryan 3389 netmask 255.255.255.255
  match tcp inside host Ryan eq 3389 outside any
    static translation to 63.135.165.110/12356
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any corporate any
    dynamic translation to pool 1 (10.1.5.1 [Interface PAT])
    translate_hits = 7, untranslate_hits = 0
Additional Information:
Dynamic translate Ryan/1025 to 10.1.5.1/1024 using netmask 255.255.255.255

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
    translate_hits = 10, untranslate_hits = 0
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
    translate_hits = 10, untranslate_hits = 0
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1063, packet dispatched to next module

Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.5.100 using egress ifc corporate
adjacency Active
next-hop mac address 0019.d167.be39 hits 0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: corporate
output-status: up
output-line-status: up
Action: allow

New Member

Adding a second subnet on ASA 5505 with Security Plus License

After adding the globals I add the 2 statics as well, but the results seem to be even worse.

static (inside,corporate) 10.1.1.0 10.1.5.0 netmask 255.255.255.0
static (corporate,inside) 10.1.5.0 10.1.1.0 netmask 255.255.255.0


Result of the command: "packet-tracer input corporate udp  10.1.5.100 1025 10.1.1.89 53"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,corporate) 10.1.1.0 10.1.5.0 netmask 255.255.255.0
  match ip inside 10.1.5.0 255.255.255.0 corporate any
    static translation to 10.1.1.0
    translate_hits = 0, untranslate_hits = 6
Additional Information:
NAT divert to egress interface inside
Untranslate 10.1.1.0/0 to 10.1.5.0/0 using netmask 255.255.255.0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group corporate_access_in in interface corporate
access-list corporate_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
service-policy global_policy global
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
    translate_hits = 6, untranslate_hits = 0
Additional Information:
Dynamic translate 10.1.5.100/1025 to 10.1.1.1/1027 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
    translate_hits = 6, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,corporate) 10.1.1.0 10.1.5.0 netmask 255.255.255.0
  match ip inside 10.1.5.0 255.255.255.0 corporate any
    static translation to 10.1.1.0
    translate_hits = 0, untranslate_hits = 6
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,corporate) 10.1.1.0 10.1.5.0 netmask 255.255.255.0
  match ip inside 10.1.5.0 255.255.255.0 corporate any
    static translation to 10.1.1.0
    translate_hits = 0, untranslate_hits = 6
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 309, packet dispatched to next module

Result:
input-interface: corporate
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet


Result of the command: "packet-tracer input inside tcp 10.1.1.89 1025 10.1.5.101 80"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (corporate,inside) 10.1.5.0 10.1.1.0 netmask 255.255.255.0
  match ip corporate 10.1.1.0 255.255.255.0 inside any
    static translation to 10.1.5.0
    translate_hits = 0, untranslate_hits = 5
Additional Information:
NAT divert to egress interface corporate
Untranslate 10.1.5.0/0 to 10.1.1.0/0 using netmask 255.255.255.0

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 63.135.165.110 12356 Ryan 3389 netmask 255.255.255.255
  match tcp inside host Ryan eq 3389 outside any
    static translation to 63.135.165.110/12356
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any corporate any
    dynamic translation to pool 1 (10.1.5.1 [Interface PAT])
    translate_hits = 5, untranslate_hits = 0
Additional Information:
Dynamic translate Ryan/1025 to 10.1.5.1/1024 using netmask 255.255.255.255

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (corporate,inside) 10.1.5.0 10.1.1.0 netmask 255.255.255.0
  match ip corporate 10.1.1.0 255.255.255.0 inside any
    static translation to 10.1.5.0
    translate_hits = 0, untranslate_hits = 5
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (corporate,inside) 10.1.5.0 10.1.1.0 netmask 255.255.255.0
  match ip corporate 10.1.1.0 255.255.255.0 inside any
    static translation to 10.1.5.0
    translate_hits = 0, untranslate_hits = 5
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 349, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: corporate
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

Adding a second subnet on ASA 5505 with Security Plus License

try this.

static (inside,corporate) 10.1.1.0 10.1.0.0 netmask 255.255.255.0
static (corporate,inside) 10.1.5.0 10.1.5.0 netmask 255.255.255.0

Post you config with packet-tracer output.

I also see the VPN range is also from inside range that also will not work.

Thanks

Ajay

New Member

Adding a second subnet on ASA 5505 with Security Plus License

Found the missing exempt rule preventing the subnets, but I am still unable to connect to the dns server in second subnet.  I must still be missing an access rule in the security policy.  Latest packet tracer is below.

Result of the command: "packet-tracer input corporate udp  10.1.5.101 1025 10.1.1.89 53"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.1.0        255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group corporate_access_in in interface corporate
access-list corporate_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
service-policy global_policy global
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip corporate 10.1.5.0 255.255.255.0 inside 10.1.1.0 255.255.255.0
    NAT exempt
    translate_hits = 480, untranslate_hits = 15
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
    translate_hits = 51, untranslate_hits = 0
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (corporate) 1 0.0.0.0 0.0.0.0
  match ip corporate any inside any
    dynamic translation to pool 1 (10.1.1.1 [Interface PAT])
    translate_hits = 51, untranslate_hits = 0
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any corporate any
    dynamic translation to pool 1 (10.1.5.1 [Interface PAT])
    translate_hits = 17, untranslate_hits = 0
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 63.135.165.110 12356 Ryan 3389 netmask 255.255.255.255
  match tcp inside host Ryan eq 3389 outside any
    static translation to 63.135.165.110/12356
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 65879, packet dispatched to next module

Result:
input-interface: corporate
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet

1876
Views
0
Helpful
15
Replies
CreatePlease to create content