I am having an issue where I can't get to external network sources via my sub interface which is attached to a 192.168.10.X VLAN I created to for Guest wireless traffic. The internal interface is a 10.5.X.X network. I can get out the external interface, but anything that we have A records for such as our mobile iron server that we can hit from the outside via https and an external IP can't be hit from the subinterface at all. Would this be a DNS rewrite issue or inspection problem?
I am not sure if I understood you correctly.
Are you saying that the new network cant access Internet or is it also the case that it cant even access some local resources?
I guess the most typical things stopping some internal network from communicating with Internet are
Also notice that if you are trying to access some of you local servers with their public IP addresses and those public IP addresses are configured to those servers on the ASA with Static NAT then this is expected. You would have to configure some additional NAT configurations for the new LANs users to be able to connect to the public IP address directly.
If you have a DNS configurations for your servers on a public DNS server which are used by the new LANs hosts then it should be enough to use the "dns" parameter at the end of the "static" configuration of the server to enable the DNS rewrite.
To be honest we would need more information to be able to say anything specific since we dont have a clue about the current ASA configurations for example.
Thanks for the reply JouniForss. I have internet on the VLAN, but can't access internal sources that have external IP's. The only way I can is if I put them in the ACL by their internal address, but I don't want to have to do that.
It would be best if you could share the configurations of the ASA so we could look through what configurations need to be added.
One thing that interests me is where are these servers located? Are they behind some other LAN interface of the ASA? Are the other LAN interface users able to access the servers using the public IP address?
But as I said it would be best to see the ASA configurations and information on what servers specifically need to be connected from the new Vlan on the ASA.
You can for example mask the public IP addresses on the configuration partially so that you dont give any sensitive information out publicly.