Plugged those commands in and still don't have access to the other networks....  I am currently on the 192.168.1.X network, trying to view a wired IP camera on the 192.168.3.X network.  I can't access my printer on 192.168.2.X network either...Here is my current running config:

ASA Version 8.2(3)

!

hostname ciscoasa

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 0.0.0.0 0.0.0.0 outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.5.5-192.168.5.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b108a042cb359e4e4e62a0e4ff00ad70

: end

Hello Jonathan,

Add this command:

same-security-traffic permit intra-interface

and try this packet tracer

Packet-tracer input inside tcp 192.168.1.X 1025  192.168.3.X 80

Let me know the output of this,

Thanks

Julio

It says its allowed under TCP, but when I run the IP tracker on the ASDM, it drops because of NAT.  Does my NAT need to be redone?

ciscoasa# packet-tracer input inside tcp 192.168.1.2 http 192.168.3.7 http

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (68.108.12.252 [Interface PAT])

    translate_hits = 543, untranslate_hits = 32

Additional Information:

Dynamic translate 192.168.1.2/80 to 68.108.12.252/262 using netmask 255.255.255.255

Phase: 4

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.5.1 [Interface PAT])

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 598, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

The thing is that you are going from and inside Lan to another Lan located on the inside as well.

Did you add the command:

same-security-traffic permit intra-interface

I think this is a routing issue instead of a Natting issue, as we can see on the packet tracer the packet is allowed. but check your Routes:

route inside 192.168.1.0 255.255.255.0 192.168.5.1 1

route inside 192.168.1.0 255.255.255.0 192.168.2.1 1

route inside 192.168.1.0 255.255.255.0 192.168.3.1 1

route inside 192.168.2.0 255.255.255.0 192.168.5.1 1

route inside 192.168.2.0 255.255.255.0 192.168.1.1 1

route inside 192.168.2.0 255.255.255.0 192.168.3.1 1

route inside 192.168.3.0 255.255.255.0 192.168.5.1 1

route inside 192.168.3.0 255.255.255.0 192.168.1.1 1

route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

What is the Ip address of the Layer 3 device on the inside interface, It got to be 192.168.5.something ?

Regards,

Yes my ASA is 192.168.5.1.  Plugged those routes in and still no access.  Did the tracer on the ASDM and still says NAT issues.... Any idea?

If your ASA is 192.168.5.1 yo do not need to added to the static routes, what is the IP address of the router on the inside, and why are you using three diferent next hops to get to the same lan?

Regards

I have three routers going into the ASA, I want seperate LAN for each part of my network.  Each router is assigned 192.168.1.1, 192.168.2.1, and 192.168.3.1.  I know it seems more than what it should, but this is how I like it.  Is there a way to let all of them talk to each other?

Sure you can do that, but in order for us to help you we will need to know the diagram of your network wich I think is something like this:

(x.x.x.x)R1(x.x.x.x)--------(x.x.x.x)R2(x.x.x.x)---------(x.x.x.x)R3(x.x.x.x)------(192.168.51)ASA(dhcp)---( 68.108.10..1)Internet

But just to let you know each Lan got to have as it default gateway its respective Router, the ASA is only going to work as the default gateway for the network 192.168.5.0

May I have the ip address of each router on both interfaces?

Regards,

Here is my network diagram with all IP address of all my devices.  LIke I said, I have the internet on all routers right now, just need to be able to talk to each on.

Ok so what you will need to do its to create 3 vlans, You already have one Vlan1, you will need to create vlan 3 and vlan 4

Interface vlan 3

nameif DMZ

security-level 100

ip address 192.1683.1 255.255.255.0

Interface vlan 4

nameif DMZ2

security-level 100

ip address 192.168.1.1 255.255.255.0

Then Assing one port to each of that vlan.

You will have to remove the Static Routes except for the one pointing to the outside  and then work in static nats and ACLs.

Any way to do with a basic license?  I can't do more than 2 vlans.... Grrrr.....

The way I told you before:

I guess I don't fully understand what you mean by "

(x.x.x.x)R1(x.x.x.x)--------(x.x.x.x)R2(x.x.x.x)---------(x.x.x.x)R3(x.x.x.x)------(192.168.51)ASA(dhcp)---(   68.108.10..1)Internet"