I have 3 inside networks that I would like to route between and also allow for outside access to the internet. 192.168.98.0/24,192.168.99.0/24,192.168.97.0/24
All 3 are defined on a 3560 that has a default route which points to my ASA 5510 inside interface 192.168.100.1. However when I try to ssh from a host on the 192.168.100.0/24 to 192.168.98.0/24 I get this error:
Mar 03 2008 13:11:08: %ASA-4-305006: portmap translation creation failed for tcp src inside:192.168.100.250/34158 dst inside:192.168.98.248/22
and if I try to ssh from the 98 net to the 100 I get:
Mar 03 2008 13:11:47: %ASA-4-106023: Deny tcp src inside:192.168.100.249/22 dst inside:192.168.98.248/32775 by access-group "inside-list-in"
I think I missing two things but I am unsure what they are.
I belive your problem aside from allowing the traffic needed in your inside ACL is with routing packets back from the interface they arrived.
It's pretty confusing but take a look at this link and you will probably be able to work it out.
Thanks for the information.. I did correct my ACL's which got rid of the deny's and I did add the corresponding statements to allow the hairpinning, however now a connection does not initiate and I cannot see any messages in the logs so I am not how I can see what is happening..
you have a 3560, why not configure ip routing on that and configure logical vlan interfaces on it? or are you applying acl's between subnets?
Actually this is exactly what I am doing... I have 3 different subnets on the 3560, 192.168.99.0/24, 192.168.98.0/24, 192.168.97.0/24. However there is also a network 192.168.100.0/24 where the inside interface on the ASA is 192.168.100.1 and some hosts reside. So I would like hosts in 192.168.98.0/24 for example to be able to access the 192.168.100.0/24 network and access the internet.
on your switch, have you enter the command "ip routing"?
also, on your switch, is there a default route (NOT default gateway) that points to the inside interface IP of the firewall?
So it sounds like you should have a total of four vlan interfaces right? with IP's of: 192.168.97.x, 192.168.98.x, 192.168.99.x, and 192.168.100.x.
The default gateway's on each host in each subnet should then point to the IP address of their respective vlan interfaces on the switch.
the "ip routing" command is in the configuration.
ip route 0.0.0.0 0.0.0.0 192.168.100.1 is also in the configuration
I have 3 vlans and ge0/1 is configured as a layer 3 port, not a switchport with an IP of 192.168.100.2.
On the ASA I have a route line:
route inside 192.168.98.0 255.255.255.0 192.168.100.2 1
add the following to your ASA:
route inside 192.168.97.0 255.255.255.0 192.168.100.2 1
route inside 192.168.99.0 255.255.255.0 192.168.100.2 1
alternatively, you could enable routing on each device:
on the switch -
on the asa:
Just to clarify, at this point and time I am only trying to get the 192.168.98.0/24 network to route to 192.168.100.0/24 or the internet. So I can see your point about needing those routes for the other VLANS... However my issue still appears to be that host 192.168.98.248 cannot get name resolution from a host 192.168.100.250 and thus cannot get out to the web. If I try to ssh to the host it also times out. However in the ASA logs I do not see any deny's...
the switchport you made a layer 3 interface, undo. make it a layer 2 interface. assign that interface to the same vlan that host 192.168.100.250 is in. then create a logical vlan interface and assign it IP address 192.168.100.2.
You should still have 4 vlans with each of the following subnets:
Each vlan will have a logical interface in the Ip range stated above, and each logical interface should be the default gateway for each of those subnets. The firewall should be plugged into whatever vlan you've assigned the 192.168.100.x range to.
or...pretend you're starting from scratch...that might make more sense.
create 3 vlans (in addition to VLan 1):
interface vlan 1
ip address 192.168.100.2 255.255.255.0
interface vlan 97
ip address 192.168.97.1 255.255.255.0
interface vlan 98
ip address 192.168.98.1 255.255.255.0
interface vlan 99
ip address 192.168.99.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.100.1
assign switchports to respective vlans. plug the firewall into vlan 1.
192.168.x.1 should be the default gateway for hosts on each subnet.
don't forget routing between the asa and each subnet, done through one of my previous posts using either RIP or static routes.
I did try that however no go..
I believe my issue might be that I have version 7.0(6) and I need 7.2 for hairpinning to be supported...
you don't need hairpinning.
all routing would be done on the 3560. the asa only needs to know how to get to each subnet, not route between them.
can you post your configs for the switch and asa?
Actually once you pointed out that the 3560 would be doing all the routing it finally clicked... Things are now working.
Now I just need to allow my my 99,98,97 networks access over our VPN tunnel to another site....
thanks for the help