I have a VLan setup in my network of 192.199.1.xxx i have this complete with a port on my ASA 5501 (18.104.22.168) it seems that i can get communitations to the firewall but the firewall is dropping traffic and not allowing any internet traffic to pass. Any ideas?
If i have this in the wrong location please let me know.
The ASA needs to have nat configured (even if you don't want the addreses changed it still needs nat configuration, just tell it not to nat), and access lists if the security levels are lower on this interface than where it is going.
Post the ASA config and I should be able to help more if you need it.
This was probably better in the Security section, but don't worry, we can answer it here.
The ASA by default doesn't require NAT to pass traffic (like the PIX'es did, with 6.3 and before).
see command "nat-control"
post the output of "show run nat" and "show run global" and "show run nat-control"
Ok, but he said he was accessing the Internet, so he would need NAT.
Posting a copy of the config would be useful here, then we can see what you are trying to acieve.
Ok what i am trying to do is have 2 domains each have there on network but use the same firewall as there gateway. i thought i had configured this by setting interface 2 up as the 22.214.171.124 with my switches taking care of the VLAN. With that being said the 192.199.1.xxx and the 172.16.xxx.xxx network will still need to access each other but only on the file sharing level.
Ok useing the information from this post i found that i do have a nat group setup of "101" for the interface of my VLan. This is the command that i use to correct this issue. "nat (mci_domain) 101 0.0.0.0 0.0.0.0" this allowed my test computer to access the internet as it should. Now for the next issue that i have found is i still need to have access to the 172.16.xxx.xxx network. i have check my ASA and i am allowing traffic to pass on same security level interfaces.
This might be old school, but try the following to turn of nat between inside and dmz
First clear out the commands that we do not need.
no global (inside) 101 interface
no global (DMZ) 101 interface
no static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
no static (inside,inside) 10.1.0.0 172.16.0.0 netmask 255.255.0.0
no static (inside,DMZ) 172.16.3.13 172.16.3.13 netmask 255.255.255.255
access-list No-Nat permit ip any 172.16.0.0 255.255.0.0
access-list No-Nat permit ip any 10.10.10.0 255.255.255.0
nat (inside) 0 access-list No-Nat
nat (DMZ) 0 access-list No-Nat
Then do a 'clear xlate' and test again. See how you go and let us know the result.
If i remove my nat statements will that affect traffic that is flowing between the dmz and the 192.168.0.0 subnet. (which would me im going to get killed because this is valid traffic.)
As it stands right now the only traffic that i can not pass is traffic from 192.199.xxx.xxx to the 172.16.xxx.xxx domain.
I am a little confused. There is no mention of the 192.199.x.x network in the config you posted. Where is this network located ? Maybe you are just missing a route statement ?
The 192.199.x.x network should be ethernet0/2. this is should be a different network than ethernet0/1. i do feel like i am missing a routing statement, but if i am allowing traffic to pass on the same security level interfaces the ASA should take care of that statement right.