Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2925
Views
0
Helpful
7
Replies

ASA alias, secondary subnet, no communcation between them?

Go to solution
3moloz123
Level 1
Level 1

‎08-18-2011 05:47 AM - edited ‎03-11-2019 02:13 PM

Hi,

As this is an ASA 5505, unlimited users, I must use arp alias to allow a secondary network.

Inside network: 10.200.31.0/24

Additional inside network: 10.200.12.0/24

Clients in both networks can reach internet, but they can't communicate with eachother. Hosts on the additional network can ping the ASA inside network IP, but nothing else. I get incomming hitcount for inside interface when 10.200.12.x tries to ping 10.200.31.x. In the error log, I see:

ASA log says:

3 Aug 18 2011 05:21:12 305006 10.200.12.10 portmap translation creation failed for icmp src inside:10.200.31.101 dst inside:10.200.12.10 (type 8, code 0)

Trying the opposite way doesn't work either:

3Aug 18 201105:29:1830500610.200.31.101


portmap translation creation failed for icmp src inside:10.200.12.10 dst inside:10.200.31.101 (type 8, code 0)

Is this some limitation of the approach I've choosen? And if so, is the only solutions either upgrade to security+ license to allow for a third vlan or simply static NAT?

## Config

# show int eth 0/1

<snip>

MAC address 6400.f185.01ba, MTU not set

</snip>

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

arp inside 10.200.12.1 6400.f185.01ba alias

route inside 10.200.12.0 255.255.255.0 10.200.31.1 1

access-list inside_access_in line 1 extended permit ip 10.200.31.0 255.255.255.0 10.200.12.0 255.255.255.0 log disable (hitcnt=22) 0xf97f5606

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎08-18-2011 05:52 AM

Well you are trying to do u-turning on ASA, this would need the following config as well:

static (inside,inside) 10.200.31.0 10.200.31.0 norand nailed

nat (inside) 1 0.0.0.0 0.0.0.0

global (inside) 1 interface

Try it and let me know how it goes.

Thanks,

Varun

Please rate helpful posts.

Thanks,
Varun Rao

View solution in original post

0 Helpful
7 Replies 7

Go to solution
varrao
Level 10
Level 10

‎08-18-2011 05:52 AM

Well you are trying to do u-turning on ASA, this would need the following config as well:

static (inside,inside) 10.200.31.0 10.200.31.0 norand nailed

nat (inside) 1 0.0.0.0 0.0.0.0

global (inside) 1 interface

Try it and let me know how it goes.

Thanks,

Varun

Please rate helpful posts.

Thanks,
Varun Rao
0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to varrao

‎08-18-2011 06:39 AM

Thank you for you answer.

'norand' seems deprecated. This is ASA 8.2. It says I should use the 'tcp-state-bypass' option under 'set connection' in the (in what?) policy-map.

The it throws error:

ERROR: mapped-address conflict with existing static

inside:10.200.31.0 to inside:10.200.31.0 netmask 255.255.255.255.

I have no static nat configured, only one dynamic to source nat inside clients (on both subnets) to outside interface.

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to 3moloz123

‎08-18-2011 06:43 AM

Can you provide me an output of "show run nat", show run global" , show run static.

The command is not deprecated, it shoudl be there in 8.2 as well:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/s8.html#wp1512466

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to varrao

‎08-18-2011 06:50 AM

Hi,

Thanks for pointing me in the right direction. I was not familiar with "u-turning" or "hairpinning".

I solved it using:

static (inside,inside) 10.200.31.0 10.200.31.0 netmask 255.255.255.0

static (inside,inside) 10.200.12.0 10.200.12.0 netmask 255.255.255.0

Thanks Varun

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to 3moloz123

‎08-18-2011 07:01 AM

Hey thats great, you can now mark this thread as answered...

-Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to varrao

‎08-18-2011 11:32 PM

Hi Varun Rao,

After experimenting some with this setup, I find that the main inside net can reach (ie ping) the secondary net, but not the other way around. In order for secondary net to be able to establish a connection with the primary net, I had to add:

'static (inside,inside) 10.200.31.0 10.200.31.0 netmask 255.255.255.0'

This did however have some really unexpected drawbacks, dhcp stopped working. All clients requesting IP's got them requested, somehow rejected them and got a new IP. The arp table was quickly filling up.

Without the static nat above, dhcp works again but like I said secondary net can't establish communication with primary.

Are these some of the limitations of this setup, or do you happen to know of a workaround? :-)

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to 3moloz123

‎08-18-2011 11:34 PM

Can you share the configuration, Iw oudl like to have a look at it??

-Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card