Hello Jennifer,

thanks for your quick answer.

When I apply those static NAT commands by ASDM, I get the following error for each of them:

ERROR: mapped-address conflict with existing static

So I did by also by CLI - with no error

And here the ACL for vlan 1 and vlan 11:

access-list vlan1_access_in_1 extended permit ip any any

access-list vlan11_access_in_1 extended permit ip any any

access-group vlan1_access_in_1 in interface vlan1

access-group vlan11_access_in_1 in interface vlan11

I alos allowed icmp to all vlans - but nothing happened - what did i wrong ?

BR

Can you also please share the latest running conifg, and advise where you are trying to ping from and to?

Please also ensure that the host doesn't have Windows firewall, or any other host firewall that might be blocking inbound access.

I'm trying to ping from vlan11 (192.168.1.2) tp vlan1 (192.168.6.1)

The firewalls on the access hosts are off.

esult of the command: "sh run"

: Saved
:
ASA Version 8.2(2)
!
hostname ASAHY
enable password encrypted
passwd encrypted
names
name 192.168.6.1 SRV1
name 192.168.1.2 SRV2
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 255.255.255.255 pppoe
!
interface Ethernet0/1
nameif inside
security-level 100
no ip address
!
interface Ethernet0/1.1
vlan 1
nameif vlan1
security-level 100
ip address 192.168.6.6 255.255.255.0
!
interface Ethernet0/1.2
vlan 2
nameif vlan2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1.4
vlan 4
nameif vlan4
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1.11
vlan 11
nameif vlan11
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Management
security-level 100
ip address 172.16.3.1 255.255.255.0
management-only
!

ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service NATvlan10
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group service NATvlan11
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group service NATvlan2
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group service NATvlan4
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group service NATvlan1
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
service-object udp eq 21
service-object udp eq 20
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp unreachable
service-object icmp time-exceeded
object-group network DataWebShop
description Direct to Access
network-object Data1 255.255.255.0
network-object host Data3
network-object host Data2
access-list insidevlan10 extended permit object-group NATvlan10 192.168.10.0 255.255.255.0 any
access-list insidevlan11 extended permit object-group NATvlan11 192.168.1.0 255.255.255.0 any
access-list insidevlan2 extended permit object-group NATvlan2 192.168.2.0 255.255.255.0 any
access-list insidevlan4 extended permit object-group NATvlan4 192.168.4.0 255.255.255.0 any
access-list insideACL6 extended permit object-group NATvlan1 192.168.6.0 255.255.255.0 any
access-list insideACL6 extended permit ip 192.168.6.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list insideACL6 extended permit udp 192.168.6.0 255.255.255.0 object-group DataWebShop eq 443
access-list 100 extended permit ip 192.168.6.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list TrafficEnc extended permit ip 192.168.6.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list servicesACL extended permit tcp any host eq 3390
access-list servicesACL extended permit udp object-group DataWebShop host SRV1 eq 443
access-list NATvlan2 extended permit ip 192.168.2.0 255.255.255.0 any
access-list NATvlan4 extended permit ip 192.168.4.0 255.255.255.0 any
access-list NATvlan10 extended permit ip 192.168.10.0 255.255.255.0 any
access-list NATvlan11 extended permit ip 192.168.1.0 255.255.255.0 any
access-list NATvlan1 extended permit ip 192.168.6.0 255.255.255.0 any
access-list vlan1_access_in_1 extended permit ip any any
access-list vlan11_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu vlan1 1500
mtu vlan11 1500
mtu vlan2 1500
mtu vlan4 1500
mtu vlan10 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 1 192.168.110.0 255.255.255.0
nat (vlan1) 0 access-list 100
nat (vlan1) 1 access-list NATvlan1
nat (vlan11) 1 access-list NATvlan11
nat (vlan2) 1 access-list NATvlan2
nat (vlan4) 1 access-list NATvlan4
nat (vlan10) 1 access-list NATvlan10
static (vlan11,outside) tcp interface 3390 Druesberg 3389 netmask 255.255.255.255
static (vlan1,outside) tcp interface ftp-data SRV1 ftp-data netmask 255.255.255.255
static (vlan1,outside) udp interface 443 SRV1 443 netmask 255.255.255.255
static (vlan1,vlan2) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (vlan1,vlan4) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (vlan1,vlan10) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (vlan1,vlan11) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (vlan2,vlan4) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (vlan2,vlan10) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (vlan2,vlan11) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (vlan10,vlan11) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group servicesACL in interface outside
access-group vlan1_access_in_1 in interface vlan1
access-group vlan11_access_in_1 in interface vlan11
access-group insidevlan2 in interface vlan2
access-group insidevlan4 in interface vlan4
access-group insidevlan10 in interface vlan10
route outside 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.3.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map newmap 10 match address TrafficEnc
crypto map newmap 10 set peer
crypto map newmap 10 set transform-set myset
crypto map newmap 10 set nat-t-disable
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
telnet 192.168.6.0 255.255.255.0 vlan1
telnet timeout 5
ssh 255.255.255.255 outside
ssh 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname
vpdn group ISP ppp authentication chap
vpdn username password store-local
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 212.90.197.226 source outside prefer
webvpn
username password encrypted privilege 15
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end

Yes, that should be allowed as per the configuration.

Also, just confirming that those hosts only have 1 NIC, and its default gateway is set to its corresponding ASA interfaces?

ie: for host 192.168.1.2, subnet mask is 255.255.255.0 and the default gateway is 192.168.1.254?

for host 192.168.6.1, subnet mask is 255.255.255.0 and default gateway is 192.168.6.6?

Can you please try from other hosts?

Hi Jennifer,

thanks for your quick answer.

There must be something wrong with those static NAT statements, because after I've typed in those, I can't access the

Internet anymore - on all Vlans.

I can't see the reason - do you have an idea for this behavior ?

Hi Jennifer,

as I've tested configuration I realized that I can't ping vlan 1 (192.168.6.6) from the L3-switch attached to the ASA.

As I moved the Config to vlan 6 -it worked again.

The main issue, the routing still doesn't work.

I can't access resources on other vlans.

Please can you have a look again ?

Harry

What is the L3 switch that is attached to the ASA has as its ip address? Does it have any interface vlan ip address?

What vlan and what ip address of the L3 switch are you trying to ping the ASA from?

What do you mean by you moved the config to vlan 6? what do you move and where?

The configuration looks correct. All NATing has been completed that allows the communicate between VLANs.

Can you please try communication between all VLANs and advise which works and which doesn't? You can't ping the ASA interfaces from the opposite interfaces, so that test will always fail if you are testing that.

Eg: you can't ping from host in VLAN 1 towards ASA VLAN 6 interface.

You can only ping from host in VLAN 1 towards ASA VLAN 1 interface.

If you test to ping, please test from host to host, not pinging any ASA interfaces. Please also try to application apart from ping.

At this point, the config looks ok, but you might need to troubleshoot hop by hop where it's failing because it doesn't seem to be a config issue at this stage.

Hello Jennifer,

thanks again for answering.

Your explanations lights up the things !

****

Just a few explanations to my statements above:

At eth0 of the ASA there is a L3-switch on Gig 0/1 directly connected.

The Gig 0/1 is in trunking mode. Vlan 1 has the IP 192.168.6.9

Every Access devices (th two servers) are in a vlan on this switch or behind this switch.

At the L3 - switch I've a VTP domain behind, for which the L3 - switch is accting as a VTP server.

From this L3 - switch (console) I was trying to ping the vlan 1 of ASA and this didn't worked.

So I took the decision to test the behavior by moving the interface config and the attached rules of the ASA to vlan 6.

After this step I was able to ping from 192.168.6.9 (Vlan 1  L3 - switch) to the vlan  of the ASA.

At this point i still don't understand why it doeasn't work with vlan 1

****

Anyway, I'll try to ping and share/mount folders from other vlans.

I'll come back.

Thanks by your clarifying explanations

I'm sorry for the confusions.

I have created a Vlan 6 on the ASA and also on the Switch.

The Vlan 1 now is the native Vlan.

actualy it looks like this:

interface Ethernet0/1.11

vlan 11

nameif vlan11

security-level 100

ip address 192.168.1.254 255.255.255.0

no shut

!

interface Ethernet0/1.2

vlan 2

nameif vlan2

security-level 100

ip address 192.168.2.1 255.255.255.0

no shut

!

!

interface Ethernet0/1.4

vlan 4

nameif vlan4

security-level 100

ip address 192.168.4.1 255.255.255.0

no shut

!

!

interface Ethernet0/1.6

vlan 6

nameif vlan6

security-level 100

ip address 192.168.6.6 255.255.255.0

no shut

!

interface Ethernet0/1.10

vlan 10

nameif vlan10

security-level 100

ip address 192.168.10.1 255.255.255.0

no shut

!

with this config in place, I'm now able to ping from the switch 6.9 to the ASA on 6.6 and vice versa.

Before when the same config was on vlan 1, I couldn't ping like this.

That sounds odd to me too.

As you said above it should work with the access-list - at least to ping between the two

hosts on vlan 6 and 11:

access-list vlan1_access_in_1 extended permit ip any any

access-list vlan11_access_in_1 extended permit ip any any

access-group vlan1_access_in_1 in interface vlan1

access-group vlan11_access_in_1 in interface vlan11

I'm thinking about to upgrade the current IOS to 8.4X ... and to create the config on a new base.

Do you see any mistake in the config above ?

No, the config looks absolutely fine to me.

I would upgrade to the latest version of 8.2.x.

Just FYI, version 8.3 and above has new changes to NAT, so it's completely different to version 8.2 or below. You might want to take a look at those NAT section first prior to upgrading to 8.4.x.