cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

861
Views
0
Helpful
18
Replies
Highlighted
Beginner

Trouble reaching webserver on inside interface from guest

I have a problem once again

I am trying to reach a webserver which is located on the inside interface 192.168.190.27 from the Guest Interface which has 10.10.10.0

See the diagram: topology.png

I can ping from for example 10.10.10.103 a windows 7 client to the server 192.168.190.27.. Which works without a problem.

Pinging from the server to the client works fine..

But when i try to browse to http://192.168.190.27 https://192.168.190.27 no luck

Packet capture from the client packetcapture.png

a bunch of RST packets

And here is a pic from the logging in the ASA..

log.png

sh run | in Guest

nameif Guest

access-list Guest_access_in extended permit ip 10.10.10.0 255.255.255.0 any

access-list Guest_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.190.0 255.255.255.0

mtu Guest 1500

nat (Guest) 0 access-list Guest_nat0_outbound

nat (Guest) 1 10.10.10.0 255.255.255.0

static (inside,Guest) 192.168.190.0 192.168.190.0 netmask 255.255.255.0

static (Guest,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

access-group Guest_access_in in interface Guest

dhcpd address 10.10.10.100-10.10.10.200 Guest

dhcpd dns 192.168.190.91 192.168.190.15 interface Guest

dhcpd enable Guest

Appreciate all your help!

Shane

18 REPLIES 18
Highlighted

Hi,

That is a clear problem with regards to the operation of the ASA.

If you now have routing activated on the HP Switch (as you say) and you have a Guest  Vlan interface on the HP switch with an IP address from the network  10.10.10.0/24 then traffic (or return traffic) from network  192.168.190.0/24 will never pass through the ASA. ASA has to see the whole TCP conversation between the devices in different network, not just the other half.

The simplest solution for ASA would be to have a the HP Switch only act as a L2 switch for the 2 user Vlans and the ASA act as the L3 point for the network. Alternatively you could remove any L3 related operation for Guest Vlan from the HP Switch and leave the original LAN network 192.168.190.0/24 as it is.

So if possible you could remove the Vlan interface IP address for the Guest Vlan so the only routing device for that Vlan would be the ASA.

- Jouni

View solution in original post

Highlighted

Hi Jouni,

Thanks alot, i removed the Vlan interface IP address for the  Guest Vlan so the only routing device for that Vlan is the ASA. In the near future i am going to remove the routing alltogehter on the switch, to let it act only as a layer 2 switch.

Once again thanks

Have a wonderful weekend

/Shane

Highlighted

Hi,

Have you had the chance to try changing the network setup regarding the gateways of the different networks?

- Jouni

Highlighted

Hi,

Sorry about that, but been busy with another issue

I am going to try changing it today and get back to you

/Shane                   

Content for Community-Ad