I have a problem once again
I am trying to reach a webserver which is located on the inside interface 192.168.190.27 from the Guest Interface which has 10.10.10.0
See the diagram:
I can ping from for example 10.10.10.103 a windows 7 client to the server 192.168.190.27.. Which works without a problem.
Pinging from the server to the client works fine..
Packet capture from the client
a bunch of RST packets
And here is a pic from the logging in the ASA..
sh run | in Guest
access-list Guest_access_in extended permit ip 10.10.10.0 255.255.255.0 any
access-list Guest_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.190.0 255.255.255.0
mtu Guest 1500
nat (Guest) 0 access-list Guest_nat0_outbound
nat (Guest) 1 10.10.10.0 255.255.255.0
static (inside,Guest) 192.168.190.0 192.168.190.0 netmask 255.255.255.0
static (Guest,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
access-group Guest_access_in in interface Guest
dhcpd address 10.10.10.100-10.10.10.200 Guest
dhcpd dns 192.168.190.91 192.168.190.15 interface Guest
dhcpd enable Guest
Appreciate all your help!
Solved! Go to Solution.
That is a clear problem with regards to the operation of the ASA.
If you now have routing activated on the HP Switch (as you say) and you have a Guest Vlan interface on the HP switch with an IP address from the network 10.10.10.0/24 then traffic (or return traffic) from network 192.168.190.0/24 will never pass through the ASA. ASA has to see the whole TCP conversation between the devices in different network, not just the other half.
The simplest solution for ASA would be to have a the HP Switch only act as a L2 switch for the 2 user Vlans and the ASA act as the L3 point for the network. Alternatively you could remove any L3 related operation for Guest Vlan from the HP Switch and leave the original LAN network 192.168.190.0/24 as it is.
So if possible you could remove the Vlan interface IP address for the Guest Vlan so the only routing device for that Vlan would be the ASA.
Thanks alot, i removed the Vlan interface IP address for the Guest Vlan so the only routing device for that Vlan is the ASA. In the near future i am going to remove the routing alltogehter on the switch, to let it act only as a layer 2 switch.
Once again thanks
Have a wonderful weekend