04-01-2008 07:07 AM - edited 03-05-2019 10:06 PM
I have a VLan setup in my network of 192.199.1.xxx i have this complete with a port on my ASA 5501 (192.199.1.254) it seems that i can get communitations to the firewall but the firewall is dropping traffic and not allowing any internet traffic to pass. Any ideas?
If i have this in the wrong location please let me know.
Thank you
Shane
04-01-2008 08:22 AM
The ASA needs to have nat configured (even if you don't want the addreses changed it still needs nat configuration, just tell it not to nat), and access lists if the security levels are lower on this interface than where it is going.
Post the ASA config and I should be able to help more if you need it.
This was probably better in the Security section, but don't worry, we can answer it here.
Regards,
Iain
04-01-2008 08:25 AM
The ASA by default doesn't require NAT to pass traffic (like the PIX'es did, with 6.3 and before).
see command "nat-control"
post the output of "show run nat" and "show run global" and "show run nat-control"
04-01-2008 11:29 AM
Ok, but he said he was accessing the Internet, so he would need NAT.
Posting a copy of the config would be useful here, then we can see what you are trying to acieve.
Regards,
Iain
04-01-2008 11:38 AM
Ok what i am trying to do is have 2 domains each have there on network but use the same firewall as there gateway. i thought i had configured this by setting interface 2 up as the 192.199.1.254 with my switches taking care of the VLAN. With that being said the 192.199.1.xxx and the 172.16.xxx.xxx network will still need to access each other but only on the file sharing level.
Shane
04-01-2008 11:44 AM
Ok useing the information from this post i found that i do have a nat group setup of "101" for the interface of my VLan. This is the command that i use to correct this issue. "nat (mci_domain) 101 0.0.0.0 0.0.0.0" this allowed my test computer to access the internet as it should. Now for the next issue that i have found is i still need to have access to the 172.16.xxx.xxx network. i have check my ASA and i am allowing traffic to pass on same security level interfaces.
Shane
04-01-2008 12:14 PM
This might be old school, but try the following to turn of nat between inside and dmz
First clear out the commands that we do not need.
no global (inside) 101 interface
no global (DMZ) 101 interface
no static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
no static (inside,inside) 10.1.0.0 172.16.0.0 netmask 255.255.0.0
no static (inside,DMZ) 172.16.3.13 172.16.3.13 netmask 255.255.255.255
access-list No-Nat permit ip any 172.16.0.0 255.255.0.0
access-list No-Nat permit ip any 10.10.10.0 255.255.255.0
nat (inside) 0 access-list No-Nat
nat (DMZ) 0 access-list No-Nat
Then do a 'clear xlate' and test again. See how you go and let us know the result.
Regards,
Iain
04-01-2008 01:30 PM
Lain,
If i remove my nat statements will that affect traffic that is flowing between the dmz and the 192.168.0.0 subnet. (which would me im going to get killed because this is valid traffic.)
As it stands right now the only traffic that i can not pass is traffic from 192.199.xxx.xxx to the 172.16.xxx.xxx domain.
shane
04-01-2008 02:49 PM
Shane,
I am a little confused. There is no mention of the 192.199.x.x network in the config you posted. Where is this network located ? Maybe you are just missing a route statement ?
Please clarify.
Regards
Iain
04-02-2008 07:20 AM
The 192.199.x.x network should be ethernet0/2. this is should be a different network than ethernet0/1. i do feel like i am missing a routing statement, but if i am allowing traffic to pass on the same security level interfaces the ASA should take care of that statement right.
shane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide