• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 707
  • Last Modified:

Vlan access to internal network.

Hello.

Not long ago i asked a question here about a problem i had with an incomming trunk of 2 vlans and how to best incorparate them into my network

The Solution i went for was the following.

The incomming cable with the 2 vlans went into port2 inside the ASA.
Port2 in the ASA was configured with 2 virtual interfaces "192.168.10.1" and "192.168.11.1"
I tagged the port in the switch that connects to the "inside" interface in the firewall with vlan "10" and "11"

I enabled DHCP relay on both virtual interfaces with a redirect to the inside interface and the dhcp server there.
I created 2 new scopes on the dhcp server "192.168.10.100-150" and "192.168.11.100-150"
Both scopes uses the respective virtual interface for GW and the standard DNS for name resolution which reside on the 192.168.1.xxx network.

When i tested the new connection today i was glad to see that the clients on the "vlan 10" picks addresses from the correct pool.

But i get loads of errors in the log complaining over translation groups and portmap creation errors.

What i would like is to have both vlan's with full access to the internal network and also the internal network to be able to access both vlan's.

It should be pretty straight forward for someone with more knowledge about cisco firewalls, it sounds like there should be a NAT rule in place but i am clueless on how to configure it.

Regards.
*From the remote vlan site 10*
305005	192.168.1.230 No translation group found for icmp src WAN_Lillestrom:192.168.10.101 dst Inside:192.168.1.230 (type 8, code 0)
305005	192.168.1.10  No translation group found for udp src WAN_Lillestrom:192.168.10.101/58350 dst Inside:192.168.1.10/53
305005	192.168.1.230 No translation group found for tcp src WAN_Lillestrom:192.168.10.101/49162 dst Inside:192.168.1.230/445
 
*From the internal network to the remote site Vlan 10*
305006	192.168.10.100	portmap translation creation failed for icmp src Inside:192.168.1.98 dst WAN_Lillestrom:192.168.10.100 (type 8, code 0)

Open in new window

0
RudiR
Asked:
RudiR
1 Solution
 
RudiRAuthor Commented:
I found the solution myself...

I added 4 exempt nat rules to the config.

Internal Exempt to both Vlans
Vlan exempt to the internal network.

And i also added a Dynamic translation to the Outside interface for each vlan.

After that i could reach the remote office (only one connected today) and the remote office could reach the main network.

First i had problems getting out on the internet from the remote office but after adding the dynamic translation i got out right away.

So i think i have solved it by myself, but if i have missed something please point it out for me.

i will leave the question open for a while until i have concluded this solution as 100% working.

Regards
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now