I have created a new VLAN (VLAN 2) in addition to an existing VLAN 1. Both Vlans have interface addresses on a Catalyst 3560. All of the network devices can see one another including talk but when I try and access a device in one VLAN from a pc in another VLAN I get an error in the ASA log to the effect that "portmap creation translation failed".
I have looked at the other discussions on the subject but none of the suggestions have solved my specific problem. The ASA configuration is attached. Any help would be greatly appreciated.
Solved! Go to Solution.
Which subnet is trying to communicate with which subnet? From the attached ASA configuration, there is only 1 inside interface.
The inside interface is part of the previously existing subnet - 192.168.90.0/24 - which is Vlan1. The new subnet is 10.52.100.0/24 is Vlan 2. The route to between the two is on the 3560 switch at 192.168.90.4. I am trying to communicate between the two.
If you are trying to communicate between the 2 internal VLANs, it shouldn't even go through the ASA.
You would need to set default gateway for VLAN 1 to be 192.168.90.4 (switch ip address) instead of ASA ip address. The switch should then be configured with default gateway pointing towards the ASA (192.168.90.1).
The Vlans are configured on the layer 3 switch as follows (which I think is what you were suggesting in your prior post):
ip address 192.168.90.4 255.255.255.0
ip address 10.52.100.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.90.1
ip http server
With the ASA configuration as originally posted a host attached to Vlan2 is able to talk to the Vlan1 address on the layer 3 switch (192.168.90.4) and the ASA, whic is also attached to Vlan1 via the switch (192.168.90.1) as well as the layer 2 switches in Vlan1. It can also access the internet on the outside interface. That host cannot, however, talk to any hosts in Vlan1.
Hosts attached to Vlan1 can talk to the network devices in Vlan1 but can't access the Vlan2 interface address on the layer3 switch (10.52.100.254) nor can they talk to any hosts in Vlan2.
When I remove the "route inside 10.52.100.0 255.255.255.0 192.168.90.4 1" statement from the ASA the only thing that changes is the Vlan2 host can no longer talk to the ASA or the outside world.
It makes me think that the problem is with the NAT statements but I can't figure out what.
The hosts on Vlan1 are using the VLAN1 interface address on the switch as their gateway (192.168.90.4)
The host on VLAN2 is using the VLAN2 interface address on the switch as its gateway (10.52.100.254)
You're suggestion provided me with some progress. I went back and double checked and sure enough the gateways for the VLAN1 hosts I was trying to talk to were pointing to the ASA (192.168.90.1). As a result of the change I can now talk to VLAN1 hosts from the VLAN2 host but I still cannot reach the VLAN2 host from the VLAN1 hosts. There are no messages in the ASA log so I'm assuming it is a problem with Inter-VLAN routing at the switch ???
I don't see anything in the log s for the switch but I'm not very adept with switches so I'm not really sure what I'm looking for.