Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3728
Views
5
Helpful
7
Replies

Multiple Inside interfaces with one outside interface

Go to solution
Erick Brittain
Community Member

‎05-12-2016 08:02 AM - edited ‎03-12-2019 12:44 AM

I have an ASA 5520 and trying to use 2 of the interfaces for inside traffic and using just one internet connection:

For Example..

GigabitEthernet 0/0 - Outside (internet)

GigabitEthernet 0/1 - Inside (192.168.1.0)

GigabitEthernet 0/2 - Inside2 (192.168.2.0)

I have NAT and access rules setup correctly I believe but if I get on the .2 network I can not access the internet.  Packet tracer shows if I pick interface 0/2 as source and internet as destination the packet goes through, if I use traceroute with same parameters it will not resolve.  Is this possible with just an ASA or will I need to integrate a router?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Erick Brittain

‎05-12-2016 10:13 AM

Hi,

Packet tracer output is in place.

Can you check the show arp on the ASA ?

Also on the PC on the inside 2 interface what are you pinging ?

Can you check your IP settings and make sure the default gateway is set to inside 2 interface IP of ASA and DNS as and global DNS server ( 8.8.8.8 ) ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎05-12-2016 08:46 AM

packet-tracer can fool you here. It's not enough that it tells you that the packet goes through, it also has to show you that the right translation is used.

I would assume that something is wrong with your NAT here. Can you share your complete NAT config?

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
Erick Brittain
Community Member
In response to Karsten Iwen

‎05-12-2016 09:28 AM

Manual NAT Policies (Section 1)
1 (inside) to (inside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
2 (inside2) to (inside2) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0

This section is working, it is for remote RDP and is working:

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static RDP_Static interface   service tcp 3389 3389
    translate_hits = 0, untranslate_hits = 81
2 (inside) to (outside) source dynamic obj-192.168.1.0 interface
    translate_hits = 4151687, untranslate_hits = 2542688

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Erick Brittain

‎05-12-2016 09:48 AM

Hi,

Please share the packet tracer output.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Erick Brittain
Community Member
In response to Aditya Ganjoo

‎05-12-2016 10:03 AM

packet-tracer input inside2 tcp 192.168.2.13 80 4.2.2.2 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside2_access_in in interface inside2
access-list Inside2_access_in extended permit ip any4 any4
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside_2
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.2.13/80 to (InternetIP address)/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7866831, packet dispatched to next module

Result:
input-interface: inside2
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Erick Brittain

‎05-12-2016 10:13 AM

Hi,

Packet tracer output is in place.

Can you check the show arp on the ASA ?

Also on the PC on the inside 2 interface what are you pinging ?

Can you check your IP settings and make sure the default gateway is set to inside 2 interface IP of ASA and DNS as and global DNS server ( 8.8.8.8 ) ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Erick Brittain
Community Member
In response to Aditya Ganjoo

‎05-12-2016 10:44 AM

I was trying to ping out from a pc on the inside2 network (.2), it has an ip of 192.168.2.13 and going to external address on packet tracer appears to work.  If i do a traceroute from the inside2 interface to an internet address it will not go out.  i will check the PC settings in a little bit, i currently don't have access to it.

0 Helpful

Go to solution
Erick Brittain
Community Member
In response to Erick Brittain

‎05-12-2016 12:17 PM

Well not sure what to say but checking from the pc internet is working. I am not sure why the traceroute fails but it all appears to be fine. I really appreciate all the help.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card