Vlan access to internal network.


Not long ago i asked a question here about a problem i had with an incomming trunk of 2 vlans and how to best incorparate them into my network

The Solution i went for was the following.

The incomming cable with the 2 vlans went into port2 inside the ASA.
Port2 in the ASA was configured with 2 virtual interfaces "" and ""
I tagged the port in the switch that connects to the "inside" interface in the firewall with vlan "10" and "11"

I enabled DHCP relay on both virtual interfaces with a redirect to the inside interface and the dhcp server there.
I created 2 new scopes on the dhcp server "" and ""
Both scopes uses the respective virtual interface for GW and the standard DNS for name resolution which reside on the 192.168.1.xxx network.

When i tested the new connection today i was glad to see that the clients on the "vlan 10" picks addresses from the correct pool.

But i get loads of errors in the log complaining over translation groups and portmap creation errors.

What i would like is to have both vlan's with full access to the internal network and also the internal network to be able to access both vlan's.

It should be pretty straight forward for someone with more knowledge about cisco firewalls, it sounds like there should be a NAT rule in place but i am clueless on how to configure it.

*From the remote vlan site 10*
305005 No translation group found for icmp src WAN_Lillestrom: dst Inside: (type 8, code 0)
305005  No translation group found for udp src WAN_Lillestrom: dst Inside:
305005 No translation group found for tcp src WAN_Lillestrom: dst Inside:
*From the internal network to the remote site Vlan 10*
305006	portmap translation creation failed for icmp src Inside: dst WAN_Lillestrom: (type 8, code 0)

Open in new window

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RudiRAuthor Commented:
I found the solution myself...

I added 4 exempt nat rules to the config.

Internal Exempt to both Vlans
Vlan exempt to the internal network.

And i also added a Dynamic translation to the Outside interface for each vlan.

After that i could reach the remote office (only one connected today) and the remote office could reach the main network.

First i had problems getting out on the internet from the remote office but after adding the dynamic translation i got out right away.

So i think i have solved it by myself, but if i have missed something please point it out for me.

i will leave the question open for a while until i have concluded this solution as 100% working.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.