Solved: Allow all inside VLANS to access internet and each other

alibris · ‎01-16-2012

I have an ASA at a remote office. They have two VLANS. One for 192.168.0.0/24 called 'inside'. The other for 192.168.1.0/24 called 'inside2'. The 'inside' vlan has no issue with accessing the internet. Inside2 can't access anything even though from the NAT configuration it looks like it should be able to. Are there settings that need to be set to allow 'inside2' out of it's box? I have settings for

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

And my NAT looks like this

object network Private_Out

nat (any,outside) static interface

Translations look like this.

phasa01# show xlate

1 in use, 1 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from any:0.0.0.0/0 to outside:X.X.X.X

flags s idle 35:13:54 timeout 0:00:00

What am I missing here?

Thanks

Julio Carvajal · ‎01-19-2012

Hello Michael,

On 8.4(2)

object network Inside_network

subnet 192.168.0.0 255.255.255.0

object network Inside2_network

subnet 192.168.1.0 255.255.255.0

nat (inside,inside2) source static Inside_network Inside_network

nat (inside2,inside) source static Inside2_network Inside2_network

Let me know the result of this, if you still unable to do it, please provide the following 2 outputs:

packet-tracer input inside tcp 192.168.0.15 1025 192.168.1.15 80

packet-tracer input inside2 tcp 192.168.1.15 1025 192.168.15 80

Regards,

Julio

Rate helpful posts!!!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

andrew.prince · ‎01-16-2012

Check your license

Sent from Cisco Technical Support iPad App

alibris · ‎01-17-2012

It has the sec-plus and a couple of others. What license does it need?

Ill get the output from it once I am in front of it in anhour.

Julio Carvajal · ‎01-17-2012

Hello Michael,

Is this a 5505 running a base license?

Can you provide the following commands:

Sh run nat

sh run nameif

sh run access-group

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

alibris · ‎01-17-2012

Here is the output from the show runs...

phasa01# show run nameif

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

interface Vlan12

nameif inside2

security-level 100

!

phasa01# show run nat

!

object network Private_Out

nat (any,outside) static interface

phasa01# show run access-group

access-group OUTSIDE_IN_ACL in interface outside

Here is the license output

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 20 DMZ Unrestricted

Dual ISPs : Enabled perpetual

VLAN Trunk Ports : 8 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Standby perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 25 perpetual

Total VPN Peers : 25 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

andrew.prince · ‎01-17-2012

use your favorite search engine and look for "same-security-interface permit inter-interface"

alibris · ‎01-17-2012

The feature was already implemented as noted in post 1.

andrew.prince · ‎01-17-2012

Sorry - I missed that! To fix you should just need to write a nat statement to "not nat" it between the two interfaces.

alibris · ‎01-18-2012

I am running into issues with getting that NAT or no-nat working.. What would the best syntax be for that?

andrew.prince · ‎01-18-2012

static (inside,inside2) source << object name 1>> << object name 1>> destination << object name 1 >> << object name 1 >>

Object-group network << object name 1>>

X.x.x.x y.y.y.y = inside ip subnet

Sent from Cisco Technical Support iPad App

alibris · ‎01-19-2012

What version of ASA firmware are those commands valid on. I keep getting errors on 8.4(2).

I'm about to take a hammer to the unit. I have others that have never given me this much grief.

Julio Carvajal · ‎01-19-2012

Hello Michael,

On 8.4(2)

object network Inside_network

subnet 192.168.0.0 255.255.255.0

object network Inside2_network

subnet 192.168.1.0 255.255.255.0

nat (inside,inside2) source static Inside_network Inside_network

nat (inside2,inside) source static Inside2_network Inside2_network

Let me know the result of this, if you still unable to do it, please provide the following 2 outputs:

packet-tracer input inside tcp 192.168.0.15 1025 192.168.1.15 80

packet-tracer input inside2 tcp 192.168.1.15 1025 192.168.15 80

Regards,

Julio

Rate helpful posts!!!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

alibris · ‎01-19-2012

Perfect. It is working now. Thank you. Now to my next issue.

Julio Carvajal · ‎01-19-2012

Hello Michael,

Great to hear that everything is working!!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC