https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915027#M153910 <P>Hi,</P> <P></P> <P>Packet tracer output is in place.</P> <P></P> <P>Can you check the show arp on the ASA ?</P> <P></P> <P>Also on the PC on the inside 2 interface what are you pinging ?</P> <P></P> <P>Can you check your IP settings and make sure the default gateway is set to inside 2 interface IP of ASA and DNS as and global DNS server ( 8.8.8.8 ) ?</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Thu, 12 May 2016 17:13:56 GMT Aditya Ganjoo 2016-05-12T17:13:56Z https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915022#M153905 <P>I have an ASA 5520 and trying to use 2 of the interfaces for inside traffic and using just one internet connection:</P> <P></P> <P>For Example..</P> <P></P> <P>GigabitEthernet 0/0 - Outside (internet)</P> <P>GigabitEthernet 0/1 - Inside (192.168.1.0)</P> <P>GigabitEthernet 0/2 - Inside2 (192.168.2.0)</P> <P>I have NAT and access rules setup correctly I believe but if I get on the .2 network I can not access the internet.&nbsp; Packet tracer shows if I pick interface 0/2 as source and internet as destination the packet goes through, if I use traceroute with same parameters it will not resolve.&nbsp; Is this possible with just an ASA or will I need to integrate a router?</P> <P></P> <P>Thanks,</P> Tue, 12 Mar 2019 07:44:47 GMT https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915022#M153905 Erick Brittain 2019-03-12T07:44:47Z https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915023#M153906 <P>packet-tracer can fool you here. It's not enough that it tells you that the packet goes through, it also has to show you that the right translation is used.</P> <P>I would assume that something is wrong with your NAT here. Can you share your complete NAT config?</P> Thu, 12 May 2016 15:46:37 GMT https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915023#M153906 Karsten Iwen 2016-05-12T15:46:37Z https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915024#M153907 <P>Manual NAT Policies (Section 1)<BR />1 (inside) to (inside) source dynamic any interface<BR />&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 0<BR />2 (inside2) to (inside2) source dynamic any interface<BR />&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 0<BR /><BR /></P> <P>This section is working, it is for remote RDP and is working:</P> <P></P> <P>Auto NAT Policies (Section 2)<BR />1 (inside) to (outside) source static RDP_Static interface&nbsp;&nbsp; service tcp 3389 3389<BR />&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 81<BR />2 (inside) to (outside) source dynamic obj-192.168.1.0 interface<BR />&nbsp;&nbsp;&nbsp; translate_hits = 4151687, untranslate_hits = 2542688</P> Thu, 12 May 2016 16:28:46 GMT https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915024#M153907 Erick Brittain 2016-05-12T16:28:46Z https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915025#M153908 <P>Hi,</P> <P></P> <P>Please share the packet tracer output.</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Thu, 12 May 2016 16:48:09 GMT https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915025#M153908 Aditya Ganjoo 2016-05-12T16:48:09Z https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915026#M153909 <P>packet-tracer input inside2 tcp 192.168.2.13 80 4.2.2.2 80</P> <P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 outside</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group Inside2_access_in in interface inside2<BR />access-list Inside2_access_in extended permit ip any4 any4<BR />Additional Information:</P> <P>Phase: 4<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />object network Inside_2<BR /> nat (any,outside) dynamic interface<BR />Additional Information:<BR />Dynamic translate 192.168.2.13/80 to (InternetIP address)/80</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 6<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 7<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 8<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 9<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 7866831, packet dispatched to next module</P> <P>Result:<BR />input-interface: inside2<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P> Thu, 12 May 2016 17:03:11 GMT https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915026#M153909 Erick Brittain 2016-05-12T17:03:11Z https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915027#M153910 <P>Hi,</P> <P></P> <P>Packet tracer output is in place.</P> <P></P> <P>Can you check the show arp on the ASA ?</P> <P></P> <P>Also on the PC on the inside 2 interface what are you pinging ?</P> <P></P> <P>Can you check your IP settings and make sure the default gateway is set to inside 2 interface IP of ASA and DNS as and global DNS server ( 8.8.8.8 ) ?</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Thu, 12 May 2016 17:13:56 GMT https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915027#M153910 Aditya Ganjoo 2016-05-12T17:13:56Z https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915028#M153911 <P>I was trying to ping out from a pc on the inside2 network (.2), it has an ip of 192.168.2.13 and going to external address on packet tracer appears to work.&nbsp; If i do a traceroute from the inside2 interface to an internet address it will not go out.&nbsp; i will check the PC settings in a little bit, i currently don't have access to it.</P> Thu, 12 May 2016 17:44:06 GMT https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915028#M153911 Erick Brittain 2016-05-12T17:44:06Z https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915029#M153912 Well not sure what to say but checking from the pc internet is working. I am not sure why the traceroute fails but it all appears to be fine. I really appreciate all the help. Thu, 12 May 2016 19:17:07 GMT https://community.cisco.com/t5/network-security/multiple-inside-interfaces-with-one-outside-interface/m-p/2915029#M153912 Erick Brittain 2016-05-12T19:17:07Z