Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow all inside VLANS to access internet and each other

I have an ASA at a remote office.  They have two VLANS.  One for 192.168.0.0/24 called 'inside'.  The other for 192.168.1.0/24 called 'inside2'.  The 'inside' vlan has no issue with accessing the internet.  Inside2 can't access anything even though from the NAT configuration it looks like it should be able to.   Are there settings that need to be set to allow 'inside2' out of it's box?  I have settings for

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

And my NAT looks like this

object network Private_Out

nat (any,outside) static interface

Translations look like this.

phasa01# show xlate

1 in use, 1 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from any:0.0.0.0/0 to outside:X.X.X.X

    flags s idle 35:13:54 timeout 0:00:00

What am I missing here?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Allow all inside VLANS to access internet and each other

Hello Michael,

On 8.4(2)

object network Inside_network

subnet 192.168.0.0 255.255.255.0

object network Inside2_network

subnet 192.168.1.0 255.255.255.0

nat (inside,inside2) source static Inside_network Inside_network

nat (inside2,inside) source static Inside2_network Inside2_network

Let me know the result of this, if you still unable to do it, please provide the following 2 outputs:

packet-tracer input inside tcp 192.168.0.15 1025 192.168.1.15 80

packet-tracer input inside2 tcp 192.168.1.15 1025 192.168.15 80

Regards,

Julio

Rate helpful posts!!!!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
13 REPLIES

Re: Allow all inside VLANS to access internet and each other

Check your license

Sent from Cisco Technical Support iPad App

New Member

Re: Allow all inside VLANS to access internet and each other

It has the sec-plus and a couple of others.   What license does it need?

Ill get the output from it once I am in front of it in anhour.

Re: Allow all inside VLANS to access internet and each other

Hello Michael,

Is this a 5505 running a base license?

Can you provide the following commands:

Sh run nat

sh run nameif

sh run access-group

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Allow all inside VLANS to access internet and each other

Here is the output from the show runs...

phasa01# show run nameif

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

interface Vlan12

nameif inside2

security-level 100

!

phasa01# show run nat

!

object network Private_Out

nat (any,outside) static interface

phasa01# show run access-group

access-group OUTSIDE_IN_ACL in interface outside

Here is the license output

Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 20             DMZ Unrestricted

Dual ISPs                         : Enabled        perpetual

VLAN Trunk Ports                  : 8              perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Standby perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 25             perpetual

Total VPN Peers                   : 25             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

Allow all inside VLANS to access internet and each other

use your favorite search engine and look for "same-security-interface permit inter-interface"

New Member

Allow all inside VLANS to access internet and each other

The feature was already implemented as noted in post 1.

Allow all inside VLANS to access internet and each other

Sorry - I missed that!  To fix you should just need to write a nat statement to "not nat" it between the two interfaces.

New Member

Allow all inside VLANS to access internet and each other

I am running into issues with getting that NAT or no-nat working..  What would the best syntax be for that?

Re: Allow all inside VLANS to access internet and each other

static (inside,inside2) source << object name 1>> << object name 1>> destination << object name 1 >> << object name 1 >>

Object-group network << object name 1>>

X.x.x.x y.y.y.y = inside ip subnet

Sent from Cisco Technical Support iPad App

New Member

Re: Allow all inside VLANS to access internet and each other

What version of ASA firmware are those commands valid on.  I keep getting errors on 8.4(2).

I'm about to take a hammer to the unit.  I have others that have never given me this much grief.

Re: Allow all inside VLANS to access internet and each other

Hello Michael,

On 8.4(2)

object network Inside_network

subnet 192.168.0.0 255.255.255.0

object network Inside2_network

subnet 192.168.1.0 255.255.255.0

nat (inside,inside2) source static Inside_network Inside_network

nat (inside2,inside) source static Inside2_network Inside2_network

Let me know the result of this, if you still unable to do it, please provide the following 2 outputs:

packet-tracer input inside tcp 192.168.0.15 1025 192.168.1.15 80

packet-tracer input inside2 tcp 192.168.1.15 1025 192.168.15 80

Regards,

Julio

Rate helpful posts!!!!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Allow all inside VLANS to access internet and each other

Perfect.  It is working now.  Thank you.  Now to my next issue.

Allow all inside VLANS to access internet and each other

Hello Michael,

Great to hear that everything is working!!!

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
622
Views
0
Helpful
13
Replies