Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 702
  • Last Modified:

Vlan access to internal network.


Not long ago i asked a question here about a problem i had with an incomming trunk of 2 vlans and how to best incorparate them into my network

The Solution i went for was the following.

The incomming cable with the 2 vlans went into port2 inside the ASA.
Port2 in the ASA was configured with 2 virtual interfaces "" and ""
I tagged the port in the switch that connects to the "inside" interface in the firewall with vlan "10" and "11"

I enabled DHCP relay on both virtual interfaces with a redirect to the inside interface and the dhcp server there.
I created 2 new scopes on the dhcp server "" and ""
Both scopes uses the respective virtual interface for GW and the standard DNS for name resolution which reside on the 192.168.1.xxx network.

When i tested the new connection today i was glad to see that the clients on the "vlan 10" picks addresses from the correct pool.

But i get loads of errors in the log complaining over translation groups and portmap creation errors.

What i would like is to have both vlan's with full access to the internal network and also the internal network to be able to access both vlan's.

It should be pretty straight forward for someone with more knowledge about cisco firewalls, it sounds like there should be a NAT rule in place but i am clueless on how to configure it.

*From the remote vlan site 10*
305005 No translation group found for icmp src WAN_Lillestrom: dst Inside: (type 8, code 0)
305005  No translation group found for udp src WAN_Lillestrom: dst Inside:
305005 No translation group found for tcp src WAN_Lillestrom: dst Inside:
*From the internal network to the remote site Vlan 10*
305006	portmap translation creation failed for icmp src Inside: dst WAN_Lillestrom: (type 8, code 0)

Open in new window

1 Solution
RudiRAuthor Commented:
I found the solution myself...

I added 4 exempt nat rules to the config.

Internal Exempt to both Vlans
Vlan exempt to the internal network.

And i also added a Dynamic translation to the Outside interface for each vlan.

After that i could reach the remote office (only one connected today) and the remote office could reach the main network.

First i had problems getting out on the internet from the remote office but after adding the dynamic translation i got out right away.

So i think i have solved it by myself, but if i have missed something please point it out for me.

i will leave the question open for a while until i have concluded this solution as 100% working.


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now