Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
3
Replies

Subinterface on Cisco ASA 5520

ccarter81
Level 1
Level 1

‎04-24-2013 08:31 AM - edited ‎03-11-2019 06:34 PM

Hello Experts,

I am having an issue where I can't get to external network sources via my sub interface which is attached to a 192.168.10.X VLAN I created to for Guest wireless traffic. The internal interface is a 10.5.X.X network. I can get out the external interface, but anything that we have A records for such as our mobile iron server that we can hit from the outside via https and an external IP can't be hit from the subinterface at all. Would this be a DNS rewrite issue or inspection problem?

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-24-2013 08:58 AM

Hi,

I am not sure if I understood you correctly.

Are you saying that the new network cant access Internet or is it also the case that it cant even access some local resources?

I guess the most typical things stopping some internal network from communicating with Internet are

  • Routing problem
  • Lacking NAT configurations
  • Traffic not allowd with ACL
  • DNS problem

Also notice that if you are trying to access some of you local servers with their public IP addresses and those public IP addresses are configured to those servers on the ASA with Static NAT then this is expected. You would have to configure some additional NAT configurations for the new LANs users to be able to connect to the public IP address directly.

If you have a DNS configurations for your servers on a public DNS server which are used by the new LANs hosts then it should be enough to use the "dns" parameter at the end of the "static" configuration of the server to enable the DNS rewrite.

To be honest we would need more information to be able to say anything specific since we dont have a clue about the current ASA configurations for example.

- Jouni

0 Helpful

ccarter81
Level 1
Level 1
In response to Jouni Forss

‎04-24-2013 12:33 PM

Thanks for the reply JouniForss. I have internet on the VLAN, but can't access internal sources that have external IP's. The only way I can is if I put them in the ACL by their internal address, but I don't want to have to do that.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to ccarter81

‎04-24-2013 12:43 PM

Hi,

It would be best if you could share the configurations of the ASA so we could look through what configurations need to be added.

One thing that interests me is where are these servers located? Are they behind some other LAN interface of the ASA? Are the other LAN interface users able to access the servers using the public IP address?

But as I said it would be best to see the ASA configurations and information on what servers specifically need to be connected from the new Vlan on the ASA.

You can for example mask the public IP addresses on the configuration partially so that you dont give any sensitive information out publicly.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card