01-16-2012 10:15 PM - edited 03-11-2019 03:15 PM
I have an ASA at a remote office. They have two VLANS. One for 192.168.0.0/24 called 'inside'. The other for 192.168.1.0/24 called 'inside2'. The 'inside' vlan has no issue with accessing the internet. Inside2 can't access anything even though from the NAT configuration it looks like it should be able to. Are there settings that need to be set to allow 'inside2' out of it's box? I have settings for
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
And my NAT looks like this
object network Private_Out
nat (any,outside) static interface
Translations look like this.
phasa01# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from any:0.0.0.0/0 to outside:X.X.X.X
flags s idle 35:13:54 timeout 0:00:00
What am I missing here?
Thanks
Solved! Go to Solution.
01-19-2012 09:29 AM
Hello Michael,
On 8.4(2)
object network Inside_network
subnet 192.168.0.0 255.255.255.0
object network Inside2_network
subnet 192.168.1.0 255.255.255.0
nat (inside,inside2) source static Inside_network Inside_network
nat (inside2,inside) source static Inside2_network Inside2_network
Let me know the result of this, if you still unable to do it, please provide the following 2 outputs:
packet-tracer input inside tcp 192.168.0.15 1025 192.168.1.15 80
packet-tracer input inside2 tcp 192.168.1.15 1025 192.168.15 80
Regards,
Julio
Rate helpful posts!!!!!
01-16-2012 11:55 PM
Check your license
Sent from Cisco Technical Support iPad App
01-17-2012 07:08 AM
It has the sec-plus and a couple of others. What license does it need?
Ill get the output from it once I am in front of it in anhour.
01-17-2012 07:01 AM
Hello Michael,
Is this a 5505 running a base license?
Can you provide the following commands:
Sh run nat
sh run nameif
sh run access-group
Regards,
Julio
01-17-2012 08:22 AM
Here is the output from the show runs...
phasa01# show run nameif
!
interface Vlan1
nameif inside
security-level 100
!
interface Vlan2
nameif outside
security-level 0
!
interface Vlan12
nameif inside2
security-level 100
!
phasa01# show run nat
!
object network Private_Out
nat (any,outside) static interface
phasa01# show run access-group
access-group OUTSIDE_IN_ACL in interface outside
Here is the license output
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
01-17-2012 08:26 AM
use your favorite search engine and look for "same-security-interface permit inter-interface"
01-17-2012 08:35 AM
The feature was already implemented as noted in post 1.
01-17-2012 08:40 AM
Sorry - I missed that! To fix you should just need to write a nat statement to "not nat" it between the two interfaces.
01-18-2012 10:19 AM
I am running into issues with getting that NAT or no-nat working.. What would the best syntax be for that?
01-18-2012 10:34 AM
static (inside,inside2) source << object name 1>> << object name 1>> destination << object name 1 >> << object name 1 >>
Object-group network << object name 1>>
X.x.x.x y.y.y.y = inside ip subnet
Sent from Cisco Technical Support iPad App
01-19-2012 09:15 AM
What version of ASA firmware are those commands valid on. I keep getting errors on 8.4(2).
I'm about to take a hammer to the unit. I have others that have never given me this much grief.
01-19-2012 09:29 AM
Hello Michael,
On 8.4(2)
object network Inside_network
subnet 192.168.0.0 255.255.255.0
object network Inside2_network
subnet 192.168.1.0 255.255.255.0
nat (inside,inside2) source static Inside_network Inside_network
nat (inside2,inside) source static Inside2_network Inside2_network
Let me know the result of this, if you still unable to do it, please provide the following 2 outputs:
packet-tracer input inside tcp 192.168.0.15 1025 192.168.1.15 80
packet-tracer input inside2 tcp 192.168.1.15 1025 192.168.15 80
Regards,
Julio
Rate helpful posts!!!!!
01-19-2012 04:51 PM
Perfect. It is working now. Thank you. Now to my next issue.
01-19-2012 05:33 PM
Hello Michael,
Great to hear that everything is working!!!
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide