ASA 5512 Does no Packet Capture on an Inside VLAN interface definitely mean the packet has not gone?
LAN traffic is going through the ASA5512 fine, onto a single switch and then to servers.
We are trying to NAT some internet IPs to VLANs, and the connections are timing out. The connection is built as below but the only packets captured on the vlan-100 interface are from the Packet Tracer (which states packet allowed).
Built TCP state-bypass connection 7121 from outside:x.x.x.x/56120 (x.x.x.x/56120) to vlan-100:172.16.100.10/3389 (5.x.x.166 /3389)
We are unsure if the problem is with the ASA or the Switch (a Cisco SG300-20, at L2 just mapping the VLAN to specific ports). The VLAN is up on the switch, but I have not yet figured out a way to verify if the traffic is getting there.
I can find no relevant asp drops fpr the VLAN connection on the ASA, so I was wondering whether there were any circumstances where the traffic could be going from the ASA to the switch, but not showing on a packet capture?
No, I can't ping the server from the ASA, though I can ping the vlan-100 interface.
We are running TCP State Bypass as there will ultimately two ASAs from two separate internet feeds in a datacentre and we think response traffic could come via either ASA (Servers will be connected to both via separate switches).
show run below (complete but a bit anonymised).. I tried making the 5-Internet interface a VLAN, but I had the same problem with that (i.e could not get through, with no packet capture traffic on the VLAN interface). 5-Internet is working fine as a physical interface going through the same switch.
The nat to the outside interface is correct. We want to use some 5.x.x.x addresses directly, in which case 5-Internet is used, but when the VLAN is in use, we want to NAT the 5.x.x.x address directly to the 172.16.100.x address, which it seems to be doing, except the traffic is never getting there.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...