RudiR
asked on
Vlan access to internal network.
Hello.
Not long ago i asked a question here about a problem i had with an incomming trunk of 2 vlans and how to best incorparate them into my network
The Solution i went for was the following.
The incomming cable with the 2 vlans went into port2 inside the ASA.
Port2 in the ASA was configured with 2 virtual interfaces "192.168.10.1" and "192.168.11.1"
I tagged the port in the switch that connects to the "inside" interface in the firewall with vlan "10" and "11"
I enabled DHCP relay on both virtual interfaces with a redirect to the inside interface and the dhcp server there.
I created 2 new scopes on the dhcp server "192.168.10.100-150" and "192.168.11.100-150"
Both scopes uses the respective virtual interface for GW and the standard DNS for name resolution which reside on the 192.168.1.xxx network.
When i tested the new connection today i was glad to see that the clients on the "vlan 10" picks addresses from the correct pool.
But i get loads of errors in the log complaining over translation groups and portmap creation errors.
What i would like is to have both vlan's with full access to the internal network and also the internal network to be able to access both vlan's.
It should be pretty straight forward for someone with more knowledge about cisco firewalls, it sounds like there should be a NAT rule in place but i am clueless on how to configure it.
Regards.
Not long ago i asked a question here about a problem i had with an incomming trunk of 2 vlans and how to best incorparate them into my network
The Solution i went for was the following.
The incomming cable with the 2 vlans went into port2 inside the ASA.
Port2 in the ASA was configured with 2 virtual interfaces "192.168.10.1" and "192.168.11.1"
I tagged the port in the switch that connects to the "inside" interface in the firewall with vlan "10" and "11"
I enabled DHCP relay on both virtual interfaces with a redirect to the inside interface and the dhcp server there.
I created 2 new scopes on the dhcp server "192.168.10.100-150" and "192.168.11.100-150"
Both scopes uses the respective virtual interface for GW and the standard DNS for name resolution which reside on the 192.168.1.xxx network.
When i tested the new connection today i was glad to see that the clients on the "vlan 10" picks addresses from the correct pool.
But i get loads of errors in the log complaining over translation groups and portmap creation errors.
What i would like is to have both vlan's with full access to the internal network and also the internal network to be able to access both vlan's.
It should be pretty straight forward for someone with more knowledge about cisco firewalls, it sounds like there should be a NAT rule in place but i am clueless on how to configure it.
Regards.
*From the remote vlan site 10*
305005 192.168.1.230 No translation group found for icmp src WAN_Lillestrom:192.168.10.101 dst Inside:192.168.1.230 (type 8, code 0)
305005 192.168.1.10 No translation group found for udp src WAN_Lillestrom:192.168.10.101/58350 dst Inside:192.168.1.10/53
305005 192.168.1.230 No translation group found for tcp src WAN_Lillestrom:192.168.10.101/49162 dst Inside:192.168.1.230/445
*From the internal network to the remote site Vlan 10*
305006 192.168.10.100 portmap translation creation failed for icmp src Inside:192.168.1.98 dst WAN_Lillestrom:192.168.10.100 (type 8, code 0)ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.