Vlan to Vlan communication - Page 3

john.irizarry · ‎09-15-2009

Hello all,

I have created 3 vlans on my ASA 5505,

5,10,15,and 20

They are on Interface 0/4 and trunked to a switch port which is also configured as a trunk. All works great....EXCEPT

I have a printer on VLAN 20 (192.168.20.15) that folks on VLAN 5 and 15 need to print to. I have the vlans on the same security level and configured same-security-traffic-permit.

I am missing something very elementary, I'm sure. Can someone please provide the key to this puzzle?

Thanks!

John

john.irizarry · ‎09-18-2009

Ok, will do. Thanks!

john.irizarry · ‎09-20-2009

OK s here is what I found:

3 Sep 20 2009 21:25:45 305005 192.168.1.251 No translation group found for icmp src outside:192.168.30.51 dst inside:192.168.1.251 (type 8, code 0)

3 Sep 20 2009 21:27:46 305005 192.168.1.252 No translation group found for icmp src outside:192.168.30.51 dst inside:192.168.1.252 (type 8, code 0)

It says A packet does not match any of the outbound nat command rules.

In this scenario, I was VPNed in tryin to access a switch on vlan1 (192.168.1.251)

When I ping the other vlans, (5,15,and 20) nothing shows up in the log and the request times out.

john.irizarry · ‎09-20-2009

Disregard last message. I fixed that problem. I can now access vlan1 (192.168.1.0) via VPN, However, I still cannot access the other Vlans (5,15, and 20)

I triple checked everything.

I attached my config again if you have time to look it over.

Thanks

andrew.prince · ‎09-21-2009

what does the logging show when you try and access those vlans from the vpn client?

Do those vlans know about the 192.168.30.0 network is available thru the ASA?

john.irizarry · ‎09-21-2009

That's just it. Nothing shows up in the logs. For example, When I ping or telnet or RDP to any of the vlans, the log shows nothing. Except of course vlan 1.

andrew.prince · ‎09-21-2009

OK - that is strange, lets look elsewhere, what about the logging for the vpn client? What do those logs show?

john.irizarry · ‎09-21-2009

I will enable the VPN log and check. I did notice that the Secured Routes displayed in the VPN statistics window shows only the nbative vlan. 192.168.1.0 and nothing in the local LAN routes pane. In the Tunnel Details it shows that Local LAN is disabled. Should that not be Enabled?

andrew.prince · ‎09-21-2009

OK - that is a show stopper, if the remote network subnets are NOT in the encrypted subnets pane (on the right) then any traffic destinted for those subnets will NOT be encrypted.

andrew.prince · ‎09-21-2009

OK - I see the issue, in the last config you posted you have:-

group-policy KWRE attributes

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value KWRE_Split_Tunnel

BUT KWRE_Split_Tunnel only has

access-list KWRE_Split_Tunnel standard permit 192.168.1.0 255.255.255.0

So you need to change:-

from

split-tunnel-network-list value KWRE_Split_Tunnel

to

split-tunnel-network-list value KWRE_splitTunnelAcl

And it will work, my fault when reviewing the config.

john.irizarry · ‎09-21-2009

It work!!! Thank you Thank You Thank You!! My eyes just did not see it! Wow! So simple. I will be more careful next time. Thanks again for all your patience and support.

andrew.prince · ‎09-21-2009

np - glad to help.