https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768408#M533189 <HTML><HEAD></HEAD><BODY><P>Hey thats great, you can now mark this thread as answered... <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>-Varun</P></BODY></HTML> Thu, 18 Aug 2011 14:01:54 GMT varrao 2011-08-18T14:01:54Z https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768403#M533184 <P>Hi,</P><P></P><P>As this is an ASA 5505, unlimited users, I must use arp alias to allow a secondary network.</P><P></P><P>Inside network: 10.200.31.0/24</P><P>Additional inside network: 10.200.12.0/24</P><P></P><P>Clients in both networks can reach internet, but they can't communicate with eachother. Hosts on the additional network can ping the ASA inside network IP, but nothing else. I get incomming hitcount for inside interface when 10.200.12.x tries to ping 10.200.31.x. In the error log, I see:</P><P></P><P>ASA log says:</P><P>3 Aug 18 2011 05:21:12 305006 10.200.12.10 portmap translation creation failed for icmp src inside:10.200.31.101 dst inside:10.200.12.10 (type 8, code 0)</P><P></P><P>Trying the opposite way doesn't work either:</P><TABLE><TBODY><TR><TD>3</TD><TD>Aug 18 2011</TD><TD>05:29:18</TD><TD>305006</TD><TD>10.200.31.101</TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD>portmap translation creation failed for icmp src inside:10.200.12.10 dst inside:10.200.31.101 (type 8, code 0)</TD></TR></TBODY></TABLE><P></P><P></P><P>Is this some limitation of the approach I've choosen? And if so, is the only solutions either upgrade to security+ license to allow for a third vlan or simply static NAT?</P><P></P><P></P><P>## Config</P><P># show int eth 0/1</P><P>&lt;snip&gt;</P><P>MAC address 6400.f185.01ba, MTU not set</P><P>&lt;/snip&gt;</P><P></P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P></P><P>arp inside 10.200.12.1 6400.f185.01ba alias</P><P>route inside 10.200.12.0 255.255.255.0 10.200.31.1 1</P><P></P><P></P><P>access-list inside_access_in line 1 extended permit ip 10.200.31.0 255.255.255.0 10.200.12.0 255.255.255.0 log disable (hitcnt=22) 0xf97f5606</P> Mon, 11 Mar 2019 21:13:44 GMT https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768403#M533184 3moloz123 2019-03-11T21:13:44Z https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768404#M533185 <HTML><HEAD></HEAD><BODY><P>Well you are trying to do u-turning on ASA, this would need the following config as well:</P><P></P><P>static (inside,inside) 10.200.31.0 10.200.31.0 norand nailed</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>global (inside) 1 interface</P><P></P><P>Try it and let me know how it goes.</P><P></P><P>Thanks,</P><P>Varun</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Thu, 18 Aug 2011 12:52:30 GMT https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768404#M533185 varrao 2011-08-18T12:52:30Z https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768405#M533186 <HTML><HEAD></HEAD><BODY><P>Thank you for you answer.</P><P></P><P>'norand' seems deprecated. This is ASA 8.2. It says I should use the 'tcp-state-bypass' option under 'set connection' in the (in what?) policy-map.</P><P>The it throws error:</P><P>ERROR: mapped-address conflict with existing static </P><P>inside:10.200.31.0 to inside:10.200.31.0 netmask 255.255.255.255.</P><P></P><P>I have no static nat configured, only one dynamic to source nat inside clients (on both subnets) to outside interface.</P></BODY></HTML> Thu, 18 Aug 2011 13:39:09 GMT https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768405#M533186 3moloz123 2011-08-18T13:39:09Z https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768406#M533187 <HTML><HEAD></HEAD><BODY><P>Can you provide me an output of "show run nat", show run global" , show run static.</P><P></P><P>The command is not deprecated, it shoudl be there in 8.2 as well:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/s8.html#wp1512466">http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/s8.html#wp1512466</A></P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Thu, 18 Aug 2011 13:43:41 GMT https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768406#M533187 varrao 2011-08-18T13:43:41Z https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768407#M533188 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for pointing me in the right direction. I was not familiar with "u-turning" or "hairpinning".</P><P>I solved it using:</P><P></P><P> static (inside,inside) 10.200.31.0 10.200.31.0 netmask 255.255.255.0</P><P>static (inside,inside) 10.200.12.0 10.200.12.0 netmask 255.255.255.0</P><P></P><P>Thanks Varun</P></BODY></HTML> Thu, 18 Aug 2011 13:50:06 GMT https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768407#M533188 3moloz123 2011-08-18T13:50:06Z https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768408#M533189 <HTML><HEAD></HEAD><BODY><P>Hey thats great, you can now mark this thread as answered... <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>-Varun</P></BODY></HTML> Thu, 18 Aug 2011 14:01:54 GMT https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768408#M533189 varrao 2011-08-18T14:01:54Z https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768409#M533190 <HTML><HEAD></HEAD><BODY><P>Hi Varun Rao,</P><P></P><P>After experimenting some with this setup, I find that the main inside net can reach (ie ping) the secondary net, but not the other way around. In order for secondary net to be able to establish a connection with the primary net, I had to add:</P><P></P><P>'static (inside,inside) 10.200.31.0 10.200.31.0 netmask 255.255.255.0'</P><P></P><P>This did however have some really unexpected drawbacks, dhcp stopped working. All clients requesting IP's got them requested, somehow rejected them and got a new IP. The arp table was quickly filling up.</P><P>Without the static nat above, dhcp works again but like I said secondary net can't establish communication with primary.</P><P></P><P>Are these some of the limitations of this setup, or do you happen to know of a workaround? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 19 Aug 2011 06:32:30 GMT https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768409#M533190 3moloz123 2011-08-19T06:32:30Z https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768410#M533191 <HTML><HEAD></HEAD><BODY><P>Can you share the configuration, Iw oudl like to have a look at it??</P><P></P><P>-Varun</P></BODY></HTML> Fri, 19 Aug 2011 06:34:44 GMT https://community.cisco.com/t5/network-security/asa-alias-secondary-subnet-no-communcation-between-them/m-p/1768410#M533191 varrao 2011-08-19T06:34:44Z