11-05-2013 04:45 AM - edited 03-11-2019 08:00 PM
I have a problem once again
I am trying to reach a webserver which is located on the inside interface 192.168.190.27 from the Guest Interface which has 10.10.10.0
See the diagram:
I can ping from for example 10.10.10.103 a windows 7 client to the server 192.168.190.27.. Which works without a problem.
Pinging from the server to the client works fine..
But when i try to browse to http://192.168.190.27 https://192.168.190.27 no luck
Packet capture from the client
a bunch of RST packets
And here is a pic from the logging in the ASA..
sh run | in Guest
nameif Guest
access-list Guest_access_in extended permit ip 10.10.10.0 255.255.255.0 any
access-list Guest_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.190.0 255.255.255.0
mtu Guest 1500
nat (Guest) 0 access-list Guest_nat0_outbound
nat (Guest) 1 10.10.10.0 255.255.255.0
static (inside,Guest) 192.168.190.0 192.168.190.0 netmask 255.255.255.0
static (Guest,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
access-group Guest_access_in in interface Guest
dhcpd address 10.10.10.100-10.10.10.200 Guest
dhcpd dns 192.168.190.91 192.168.190.15 interface Guest
dhcpd enable Guest
Appreciate all your help!
Shane
Solved! Go to Solution.
11-06-2013 04:21 AM
Hi,
That is a clear problem with regards to the operation of the ASA.
If you now have routing activated on the HP Switch (as you say) and you have a Guest Vlan interface on the HP switch with an IP address from the network 10.10.10.0/24 then traffic (or return traffic) from network 192.168.190.0/24 will never pass through the ASA. ASA has to see the whole TCP conversation between the devices in different network, not just the other half.
The simplest solution for ASA would be to have a the HP Switch only act as a L2 switch for the 2 user Vlans and the ASA act as the L3 point for the network. Alternatively you could remove any L3 related operation for Guest Vlan from the HP Switch and leave the original LAN network 192.168.190.0/24 as it is.
So if possible you could remove the Vlan interface IP address for the Guest Vlan so the only routing device for that Vlan would be the ASA.
- Jouni
11-21-2013 12:52 PM
Hi Jouni,
Thanks alot, i removed the Vlan interface IP address for the Guest Vlan so the only routing device for that Vlan is the ASA. In the near future i am going to remove the routing alltogehter on the switch, to let it act only as a layer 2 switch.
Once again thanks
Have a wonderful weekend
/Shane
11-08-2013 12:09 PM
Hi,
Have you had the chance to try changing the network setup regarding the gateways of the different networks?
- Jouni
11-10-2013 11:02 PM
Hi,
Sorry about that, but been busy with another issue
I am going to try changing it today and get back to you
/Shane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide