Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

ASA sub interface with Catalyst 6509-E


I am facing a strange issue with my configuration on ASA with Catalyst. I had configured a sub-interface on the ASA below is the configuration

Interface Gigabitethernet 0/1.666

vlan 666

nameif Internet_VLAN

security-level 50

ip address

nat (Internet_VLAN) 2

global (outside) 2

and on the Catalyst 6509 I created the same Vlan and configure the trunk port connecting the ASA inside interface as below

Interface Gigabitethernet 2/12

switchport trunk encapulation dot1q

switchport trunk allowed vlan 1,666

swtichport mode trunk

Interface Vlan 666

ip address

i am able to ping the sub-interface IP on the asa and vice-versa also when configured a workstation with the same subnet IP it can ping the switch VLAN IP as well as ASA sub-interface.

but when I try to browse the internet the syslog does not show any entry so that I can further identify that which part on the ASA is denying the traffic.

I tried to use the packet-tracer on the ASA and see that where does the packet gets a deny, at first it showed that the packet is denied by outside interface so I configured the outside Access-list accordingly, and the syslog showed the hits appropriately. Then it showed that there is a no translation group for the returning traffic to the ASA, syslog showing the hits again...

Therefore, I have two questions

1. why the syslog not showing hits when I browse the internet from the workstation and does when I am using the packet-tracer

2. what's with this translation group error, the other subnet which is configured on the inside interface g0/0 works just fine (I mean emp can browse internet and all) it has the same kind of configuration as sub-interface

just one more to add I am using the DNS which is an outside the firewall or you can say it ISP DNS, could it be that when I browse it's the DNS which sends the requests to the ASA and I am filtering the workstation IP instead, thats why it's not appearing in my could be? rite

because when I ping from the station I see hits..

any help would be great help

CreatePlease to create content