Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3367
Views
5
Helpful
7
Replies

Multiple Inside interfaces with one outside interface

Go to solution
Erick Brittain
Level 1
Level 1

‎05-12-2016 08:02 AM - edited ‎03-12-2019 12:44 AM

I have an ASA 5520 and trying to use 2 of the interfaces for inside traffic and using just one internet connection:

For Example..

GigabitEthernet 0/0 - Outside (internet)

GigabitEthernet 0/1 - Inside (192.168.1.0)

GigabitEthernet 0/2 - Inside2 (192.168.2.0)

I have NAT and access rules setup correctly I believe but if I get on the .2 network I can not access the internet.  Packet tracer shows if I pick interface 0/2 as source and internet as destination the packet goes through, if I use traceroute with same parameters it will not resolve.  Is this possible with just an ASA or will I need to integrate a router?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Erick Brittain

‎05-12-2016 10:13 AM

Hi,

Packet tracer output is in place.

Can you check the show arp on the ASA ?

Also on the PC on the inside 2 interface what are you pinging ?

Can you check your IP settings and make sure the default gateway is set to inside 2 interface IP of ASA and DNS as and global DNS server ( 8.8.8.8 ) ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎05-12-2016 08:46 AM

packet-tracer can fool you here. It's not enough that it tells you that the packet goes through, it also has to show you that the right translation is used.

I would assume that something is wrong with your NAT here. Can you share your complete NAT config?

Go to solution
Erick Brittain
Level 1
Level 1
In response to Karsten Iwen

‎05-12-2016 09:28 AM

Manual NAT Policies (Section 1)
1 (inside) to (inside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
2 (inside2) to (inside2) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0

This section is working, it is for remote RDP and is working:

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static RDP_Static interface   service tcp 3389 3389
    translate_hits = 0, untranslate_hits = 81
2 (inside) to (outside) source dynamic obj-192.168.1.0 interface
    translate_hits = 4151687, untranslate_hits = 2542688

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Erick Brittain

‎05-12-2016 09:48 AM

Hi,

Please share the packet tracer output.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Erick Brittain
Level 1
Level 1
In response to Aditya Ganjoo

‎05-12-2016 10:03 AM

packet-tracer input inside2 tcp 192.168.2.13 80 4.2.2.2 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside2_access_in in interface inside2
access-list Inside2_access_in extended permit ip any4 any4
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside_2
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.2.13/80 to (InternetIP address)/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7866831, packet dispatched to next module

Result:
input-interface: inside2
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Erick Brittain

‎05-12-2016 10:13 AM

Hi,

Packet tracer output is in place.

Can you check the show arp on the ASA ?

Also on the PC on the inside 2 interface what are you pinging ?

Can you check your IP settings and make sure the default gateway is set to inside 2 interface IP of ASA and DNS as and global DNS server ( 8.8.8.8 ) ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Erick Brittain
Level 1
Level 1
In response to Aditya Ganjoo

‎05-12-2016 10:44 AM

I was trying to ping out from a pc on the inside2 network (.2), it has an ip of 192.168.2.13 and going to external address on packet tracer appears to work.  If i do a traceroute from the inside2 interface to an internet address it will not go out.  i will check the PC settings in a little bit, i currently don't have access to it.

0 Helpful

Go to solution
Erick Brittain
Level 1
Level 1
In response to Erick Brittain

‎05-12-2016 12:17 PM

Well not sure what to say but checking from the pc internet is working. I am not sure why the traceroute fails but it all appears to be fine. I really appreciate all the help.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card