I am facing a strange issue with my configuration on ASA with Catalyst. I had configured a sub-interface on the ASA below is the configuration
Interface Gigabitethernet 0/1.666
ip address 192.168.201.253 255.255.255.0
nat (Internet_VLAN) 2 192.168.201.0 255.255.255.0
global (outside) 2 220.127.116.11
and on the Catalyst 6509 I created the same Vlan and configure the trunk port connecting the ASA inside interface as below
Interface Gigabitethernet 2/12
switchport trunk encapulation dot1q
switchport trunk allowed vlan 1,666
swtichport mode trunk
Interface Vlan 666
ip address 192.168.201.254 255.255.255.0
i am able to ping the sub-interface IP on the asa and vice-versa also when configured a workstation with the same subnet IP it can ping the switch VLAN IP as well as ASA sub-interface.
but when I try to browse the internet the syslog does not show any entry so that I can further identify that which part on the ASA is denying the traffic.
I tried to use the packet-tracer on the ASA and see that where does the packet gets a deny, at first it showed that the packet is denied by outside interface so I configured the outside Access-list accordingly, and the syslog showed the hits appropriately. Then it showed that there is a no translation group for the returning traffic to the ASA, syslog showing the hits again...
Therefore, I have two questions
1. why the syslog not showing hits when I browse the internet from the workstation and does when I am using the packet-tracer
2. what's with this translation group error, the other subnet which is configured on the inside interface g0/0 works just fine (I mean emp can browse internet and all) it has the same kind of configuration as sub-interface
just one more to add I am using the DNS which is an outside the firewall or you can say it ISP DNS, could it be that when I browse it's the DNS which sends the requests to the ASA and I am filtering the workstation IP instead, thats why it's not appearing in my syslog...it could be? rite
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...