Hello Jon!  I've tried both with no success.

Can you post output of -

"packet-tracer input inside tcp 192.168.12.10 12345 8.8.8.8 www"

From the ASA can you ping a 192.168.12.x client ?

Jon

Here you go!

Result of the command: "packet-tracer input inside tcp 192.168.12.10 12345 8.8.8.8 www"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT-EXEMPT
Subtype: 
Result: ALLOW
Config:
  match ip inside 192.168.12.0 255.255.255.0 outside any
    NAT exempt
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (65.114.22.82 [Interface PAT])
    translate_hits = 266513, untranslate_hits = 168014
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 1441990, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

I am able to ping a 192.168.12.x client from the ASA

Not sure what is happening here.

The output suggests you are matching the "ip nat (inside) 1 0.0.0.0 0.0.0.0" entry but you shouldn't be.

So is the client port on the switch in vlan 12 and how is the switch connected to the ASA ie. what is the configuration on the port on the switch that connects to e0/7 on your ASA ?

Also can you attach the configuration you are currently working with ?

Jon

The client port on the switch is in vlan 12.  Port e0/7 connects to switch which is also on vlan 12 in access mode. 

You have this line -

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 any

and the NAT exemption ie. "nat (inside) 0 access-list <acl name>" takes precedence if I remember correctly.

If that line is for VPN then you need to make the destination the same as the other line ie. 192.168.5.0 255.255.255.0 but you can't use any because that includes internet.

Jon

Seems to be working now.  Below is what I changed:

no access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 any 

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.5.0 255.255.255.0

The 192.168.12.X is able to get to internet now.  

Last issue is I'm not able to route between these two vlans.  Should I create another discussion for this issue?

--Clayton

Clayton

You won't be able to route between vlans without setting up NAT between the interfaces ie.

static (inside,ipcamera) 192.168.11.0 192.168.11.0 255.255.255.0
static (ipcamera,inside) 192.168.12.0 192.168.12.0 255.255.255.0

Jon

Can this be accomplished without the connection to the switch not being a trunk?

I just want to be able to pass traffic between the two vlans.

Then you should be fine with what you have as long as you add those NAT statements.

Is everything working now ?

Jon

I get the following error message when applying those statements:

Result of the command: "static (inside,ipcamera) 192.168.11.0 192.168.11.0 255.255.255.0"

static (inside,ipcamera) 192.168.11.0 192.168.11.0 255.255.255.0
                                                      ^
ERROR: % Invalid input detected at '^' marker.

Result of the command: "static (ipcamera,inside) 192.168.12.0 192.168.12.0 255.255.255.0"

static (ipcamera,inside) 192.168.12.0 192.168.12.0 255.255.255.0
                                                      ^
ERROR: % Invalid input detected at '^' marker.