Vlan access to internal network.

Posted on 2009-02-12
Last Modified: 2012-05-06

Not long ago i asked a question here about a problem i had with an incomming trunk of 2 vlans and how to best incorparate them into my network

The Solution i went for was the following.

The incomming cable with the 2 vlans went into port2 inside the ASA.
Port2 in the ASA was configured with 2 virtual interfaces "" and ""
I tagged the port in the switch that connects to the "inside" interface in the firewall with vlan "10" and "11"

I enabled DHCP relay on both virtual interfaces with a redirect to the inside interface and the dhcp server there.
I created 2 new scopes on the dhcp server "" and ""
Both scopes uses the respective virtual interface for GW and the standard DNS for name resolution which reside on the network.

When i tested the new connection today i was glad to see that the clients on the "vlan 10" picks addresses from the correct pool.

But i get loads of errors in the log complaining over translation groups and portmap creation errors.

What i would like is to have both vlan's with full access to the internal network and also the internal network to be able to access both vlan's.

It should be pretty straight forward for someone with more knowledge about cisco firewalls, it sounds like there should be a NAT rule in place but i am clueless on how to configure it.

*From the remote vlan site 10*

305005 No translation group found for icmp src WAN_Lillestrom: dst Inside: (type 8, code 0)

305005  No translation group found for udp src WAN_Lillestrom: dst Inside:

305005 No translation group found for tcp src WAN_Lillestrom: dst Inside:


*From the internal network to the remote site Vlan 10*

305006	portmap translation creation failed for icmp src Inside: dst WAN_Lillestrom: (type 8, code 0)

Open in new window

Question by:RudiR
    1 Comment

    Accepted Solution

    I found the solution myself...

    I added 4 exempt nat rules to the config.

    Internal Exempt to both Vlans
    Vlan exempt to the internal network.

    And i also added a Dynamic translation to the Outside interface for each vlan.

    After that i could reach the remote office (only one connected today) and the remote office could reach the main network.

    First i had problems getting out on the internet from the remote office but after adding the dynamic translation i got out right away.

    So i think i have solved it by myself, but if i have missed something please point it out for me.

    i will leave the question open for a while until i have concluded this solution as 100% working.


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now