topic ClaytonYou won't be able to in Network Security

No Internet for Multiple VLANS

claytonp — Tue, 12 Mar 2019 06:26:45 GMT

On an ASA 5505 Ver 8.2(5) I have the ability to access internet from primary vlan. However, when I added an additional vlan I'm not able to access the internet from that vlan. I'm able to get out to internet on VLAN1. However, I'm not on VLAN12. I have the security plus license for this appliance. Any assistance I can get with this is greatly appreciated.

--Clayton

ClaytonYou need to add "nat

Jon Marshall — Mon, 17 Aug 2015 21:16:19 GMT

Clayton

You need to add either "nat (ipcamera) 1 0.0.0.0 0.0.0.0" or "nat (ipcamera) 1 192.168.12.0 255.255.255.0" to your configuration.

Jon

Hello Jon! I've tried both

claytonp — Mon, 17 Aug 2015 23:50:15 GMT

Hello Jon! I've tried both with no success.

Can you post output of -

Jon Marshall — Tue, 18 Aug 2015 11:11:03 GMT

Can you post output of -

"packet-tracer input inside tcp 192.168.12.10 12345 8.8.8.8 www"

From the ASA can you ping a 192.168.12.x client ?

Jon

Here you go! Result of the

claytonp — Tue, 18 Aug 2015 12:38:52 GMT

Here you go!

Result of the command: "packet-tracer input inside tcp 192.168.12.10 12345 8.8.8.8 www"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.12.0 255.255.255.0 outside any
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (65.114.22.82 [Interface PAT])
translate_hits = 266513, untranslate_hits = 168014
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1441990, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

I am able to ping a 192.168.12.x client from the ASA

Not sure what is happening

Jon Marshall — Tue, 18 Aug 2015 12:51:06 GMT

Not sure what is happening here.

The output suggests you are matching the "ip nat (inside) 1 0.0.0.0 0.0.0.0" entry but you shouldn't be.

So is the client port on the switch in vlan 12 and how is the switch connected to the ASA ie. what is the configuration on the port on the switch that connects to e0/7 on your ASA ?

Also can you attach the configuration you are currently working with ?

Jon

The client port on the switch

claytonp — Tue, 18 Aug 2015 13:41:04 GMT

The client port on the switch is in vlan 12. Port e0/7 connects to switch which is also on vlan 12 in access mode.

The client port on the switch

claytonp — Tue, 18 Aug 2015 13:41:11 GMT

The client port on the switch is in vlan 12. Port e0/7 connects to switch which is also on vlan 12 in access mode.

You have this line -access

Jon Marshall — Tue, 18 Aug 2015 13:47:35 GMT

You have this line -

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 any

and the NAT exemption ie. "nat (inside) 0 access-list <acl name>" takes precedence if I remember correctly.

If that line is for VPN then you need to make the destination the same as the other line ie. 192.168.5.0 255.255.255.0 but you can't use any because that includes internet.

Jon

Seems to be working now.

claytonp — Tue, 18 Aug 2015 14:11:58 GMT

Seems to be working now. Below is what I changed:

no access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.5.0 255.255.255.0

The 192.168.12.X is able to get to internet now.

Last issue is I'm not able to route between these two vlans. Should I create another discussion for this issue?

--Clayton

ClaytonYou won't be able to

Jon Marshall — Tue, 18 Aug 2015 14:20:34 GMT

Clayton

You won't be able to route between vlans without setting up NAT between the interfaces ie.

static (inside,ipcamera) 192.168.11.0 192.168.11.0 255.255.255.0
static (ipcamera,inside) 192.168.12.0 192.168.12.0 255.255.255.0

Jon

Can this be accomplished

claytonp — Tue, 18 Aug 2015 15:03:09 GMT

Can this be accomplished without the connection to the switch not being a trunk?

It shouldn't make any

Jon Marshall — Tue, 18 Aug 2015 15:09:20 GMT

It shouldn't make any difference whether you use a trunk or not.

Your question is slightly unclear, what exactly do you want to do ?

Jon

I just want to be able to

claytonp — Tue, 18 Aug 2015 15:12:23 GMT

I just want to be able to pass traffic between the two vlans.

Then you should be fine with

Jon Marshall — Tue, 18 Aug 2015 15:13:38 GMT

Then you should be fine with what you have as long as you add those NAT statements.

Is everything working now ?

Jon

I get the following error

claytonp — Tue, 18 Aug 2015 15:18:50 GMT

I get the following error message when applying those statements:

Result of the command: "static (inside,ipcamera) 192.168.11.0 192.168.11.0 255.255.255.0"

static (inside,ipcamera) 192.168.11.0 192.168.11.0 255.255.255.0
^
ERROR: % Invalid input detected at '^' marker.

Result of the command: "static (ipcamera,inside) 192.168.12.0 192.168.12.0 255.255.255.0"

static (ipcamera,inside) 192.168.12.0 192.168.12.0 255.255.255.0
^
ERROR: % Invalid input detected at '^' marker.

Sorry I missed out the

Jon Marshall — Tue, 18 Aug 2015 15:33:48 GMT

Sorry I missed out the "netmask" keyword, they should be -

static (inside,ipcamera) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
static (ipcamera,inside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

Jon

AWESOME!!!! It's working.

claytonp — Tue, 18 Aug 2015 15:36:20 GMT

AWESOME!!!! It's working. Thanks a million. I learned from this session.

--Clayton

No problem, glad you got it

Jon Marshall — Tue, 18 Aug 2015 15:43:46 GMT

No problem, glad you got it working.

Jon