Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2114
Views
0
Helpful
18
Replies

Trouble reaching webserver on inside interface from guest

Go to solution
Shane Riley
Level 1
Level 1

‎11-05-2013 04:45 AM - edited ‎03-11-2019 08:00 PM

I have a problem once again

I am trying to reach a webserver which is located on the inside interface 192.168.190.27 from the Guest Interface which has 10.10.10.0

See the diagram: topology.png

I can ping from for example 10.10.10.103 a windows 7 client to the server 192.168.190.27.. Which works without a problem.

Pinging from the server to the client works fine..

But when i try to browse to http://192.168.190.27 https://192.168.190.27 no luck

Packet capture from the client packetcapture.png

a bunch of RST packets

And here is a pic from the logging in the ASA..

log.png

sh run | in Guest

nameif Guest

access-list Guest_access_in extended permit ip 10.10.10.0 255.255.255.0 any

access-list Guest_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.190.0 255.255.255.0

mtu Guest 1500

nat (Guest) 0 access-list Guest_nat0_outbound

nat (Guest) 1 10.10.10.0 255.255.255.0

static (inside,Guest) 192.168.190.0 192.168.190.0 netmask 255.255.255.0

static (Guest,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

access-group Guest_access_in in interface Guest

dhcpd address 10.10.10.100-10.10.10.200 Guest

dhcpd dns 192.168.190.91 192.168.190.15 interface Guest

dhcpd enable Guest

Appreciate all your help!

Shane

Labels:
0 Helpful
18 Replies 18

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Shane Riley

‎11-06-2013 04:21 AM

Hi,

That is a clear problem with regards to the operation of the ASA.

If you now have routing activated on the HP Switch (as you say) and you have a Guest  Vlan interface on the HP switch with an IP address from the network  10.10.10.0/24 then traffic (or return traffic) from network  192.168.190.0/24 will never pass through the ASA. ASA has to see the whole TCP conversation between the devices in different network, not just the other half.

The simplest solution for ASA would be to have a the HP Switch only act as a L2 switch for the 2 user Vlans and the ASA act as the L3 point for the network. Alternatively you could remove any L3 related operation for Guest Vlan from the HP Switch and leave the original LAN network 192.168.190.0/24 as it is.

So if possible you could remove the Vlan interface IP address for the Guest Vlan so the only routing device for that Vlan would be the ASA.

- Jouni

0 Helpful

Go to solution
Shane Riley
Level 1
Level 1
In response to Jouni Forss

‎11-21-2013 12:52 PM

Hi Jouni,

Thanks alot, i removed the Vlan interface IP address for the  Guest Vlan so the only routing device for that Vlan is the ASA. In the near future i am going to remove the routing alltogehter on the switch, to let it act only as a layer 2 switch.

Once again thanks

Have a wonderful weekend

/Shane

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Shane Riley

‎11-08-2013 12:09 PM

Hi,

Have you had the chance to try changing the network setup regarding the gateways of the different networks?

- Jouni

0 Helpful

Go to solution
Shane Riley
Level 1
Level 1
In response to Jouni Forss

‎11-10-2013 11:02 PM

Hi,

Sorry about that, but been busy with another issue

I am going to try changing it today and get back to you

/Shane                   

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card