Hi,

I have an ASA 5510 that was originally setup with no VLANs.  I have a SIP telephone system on the inside interface.  I have now added two sub-interfaces to the inside interface for seperate VLANs as shown below.

!

interface Ethernet0/0

nameif outside

security-level 0

ip address ***.***.***.*** 255.255.255.***

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.*** 255.255.255.0

!

interface Ethernet0/1.2

vlan 10

nameif inside2

security-level 100

ip address 172.***.***.*** 255.255.0.0

!

interface Ethernet0/1.3

vlan 100

nameif inside_Private

security-level 90

ip address 192.168.16.*** 255.255.255.0

!

Ethernet0/0 and 0/1 where originally setup then I have added ethernet0/1.2 and 1.3

Dynamic NAT rules where also setup on the inside interface as follows:

nat (inside) 1 0.0.0.0 0.0.0.0

I then added the same for the other inside interfaces:

nat (inside2) 1 0.0.0.0 0.0.0.0

nat (inside_Private) 1 0.0.0.0 0.0.0.0

which seems to work fine, i can access the internet from all inside interfaces (depending on firewall rules of course)

The problem is that when i add the dynamic NAT rules for inside2 and inside_Private it breaks the incoming SIP from getting to the asterisk box.  As soon as i remove them it works again.

Is this due to having untagged traffic with the inside interface, do i need to create a new sub-interface to be used instead, so i would have Ethernet0/1.1, Ethernet0/1/2 and Ethernet0/1.3 and then remove the IP from Ethernet0/1 ?  If this is the case then what is the best way to change this as i have alot of firewall rules setup on this interface that would need moving over.

Thanks

Dan