Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA 5510 Dynamic NAT on Sub-Interfaces

Hi,

I have an ASA 5510 that was originally setup with no VLANs.  I have a SIP telephone system on the inside interface.  I have now added two sub-interfaces to the inside interface for seperate VLANs as shown below.

!

interface Ethernet0/0

nameif outside

security-level 0

ip address ***.***.***.*** 255.255.255.***

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.*** 255.255.255.0

!

interface Ethernet0/1.2

vlan 10

nameif inside2

security-level 100

ip address 172.***.***.*** 255.255.0.0

!

interface Ethernet0/1.3

vlan 100

nameif inside_Private

security-level 90

ip address 192.168.16.*** 255.255.255.0

!

Ethernet0/0 and 0/1 where originally setup then I have added ethernet0/1.2 and 1.3

Dynamic NAT rules where also setup on the inside interface as follows:

nat (inside) 1 0.0.0.0 0.0.0.0

I then added the same for the other inside interfaces:

nat (inside2) 1 0.0.0.0 0.0.0.0

nat (inside_Private) 1 0.0.0.0 0.0.0.0

which seems to work fine, i can access the internet from all inside interfaces (depending on firewall rules of course)

The problem is that when i add the dynamic NAT rules for inside2 and inside_Private it breaks the incoming SIP from getting to the asterisk box.  As soon as i remove them it works again.

Is this due to having untagged traffic with the inside interface, do i need to create a new sub-interface to be used instead, so i would have Ethernet0/1.1, Ethernet0/1/2 and Ethernet0/1.3 and then remove the IP from Ethernet0/1 ?  If this is the case then what is the best way to change this as i have alot of firewall rules setup on this interface that would need moving over.

Thanks

Dan

Everyone's tags (4)
1 REPLY

Re: ASA 5510 Dynamic NAT on Sub-Interfaces

If you are going to split your physical interface to VLAN or sub-interfaces you should not have an IP address in your eth 0/1

That interface should not have  any configuration. No name no sec level.. So go ahead and create the 0/1.1

2138
Views
0
Helpful
1
Replies
CreatePlease to create content