ASA Sub-IF Routing

I have two domains seperated by VLAN at my datacenter. They are connected to the same switch and use our ASA as endpoint for internet. One is on the Native Hardware assigned interface the other is on the same interface but is a logical Sub.

Mail is on the native VLAN and I cannot reach the external NAT of the Mail server from the Sub-IF domain. I get a timeout. My collegue suggested it is a security context issue. I am not sure how to go about correcting so the mail servers NAT responds to inquiries from the Sub-IF.

Thanks
ICSLogisticsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Post the interface config from the ASA
Post a show NAT (redact any public IP addresses)

Post the config from the switch interface thats connected to the ASA
ICSLogisticsAuthor Commented:
Let me know if this covers everything.

1. Post the interface config from the ASA
interface Ethernet0/2
 speed 100
 duplex full
 nameif Inside
 security-level 100
 ip address 10.0.0.4 255.255.255.0 standby 10.0.0.5
!
interface Ethernet0/2.3
 vlan 140
 nameif SSC
 security-level 90
 ip address 10.0.140.4 255.255.255.0

2.
Manual NAT Policies (Section 1)
1 (dmz) to (Outside) source static obj-192.168.200.101 obj-192.168.200.101   des
tination static obj-JADE-143.96.0.0 obj-JADE-143.96.0.0
    translate_hits = 59260, untranslate_hits = 36730
2 (Inside) to (Outside) source static DM_INLINE_NETWORK_21 DM_INLINE_NETWORK_21
  destination static 10.99.42.0 10.99.42.0
    translate_hits = 969354, untranslate_hits = 851924
3 (Inside) to (Outside) source static obj-10.0.0.0 obj-10.0.0.0   destination st
atic obj-10.99.104.0 obj-10.99.104.0
    translate_hits = 0, untranslate_hits = 0
4 (Inside) to (Outside) source static obj-10.0.2.0 obj-10.0.2.0   destination st
atic obj-10.0.253.8 obj-10.0.253.8
    translate_hits = 35, untranslate_hits = 4633
5 (Inside) to (Outside) source static obj-10.0.0.0-01 obj-10.0.0.0-01   destinat
ion static obj-10.0.253.8 obj-10.0.253.8
    translate_hits = 9008, untranslate_hits = 183454
6 (Inside) to (Outside) source static obj-10.0.10.0 obj-10.0.10.0   destination
static obj-10.0.253.8 obj-10.0.253.8
    translate_hits = 0, untranslate_hits = 0
7 (Inside) to (Outside) source static obj-10.0.10.0 obj-10.0.10.0   destination
static obj-10.0.253.0 obj-10.0.253.0
    translate_hits = 0, untranslate_hits = 0
8 (Inside) to (Outside) source static obj-10.0.0.0-01 obj-10.0.0.0-01   destinat
ion static obj-10.0.253.0 obj-10.0.253.0
    translate_hits = 0, untranslate_hits = 0
9 (Inside) to (Outside) source static obj-10.0.2.0 obj-10.0.2.0   destination st
atic obj-10.0.253.0 obj-10.0.253.0
    translate_hits = 0, untranslate_hits = 0
10 (Inside) to (Outside) source static DM_INLINE_NETWORK_22 DM_INLINE_NETWORK_22
   destination static obj-10.99.101.0 obj-10.99.101.0
    translate_hits = 4741967, untranslate_hits = 2556536
11 (Inside) to (Outside) source static DM_INLINE_NETWORK_23 DM_INLINE_NETWORK_23
   destination static obj-10.99.101.0 obj-10.99.101.0
    translate_hits = 0, untranslate_hits = 0
12 (Inside) to (Outside) source static DM_INLINE_NETWORK_24 DM_INLINE_NETWORK_24
   destination static obj-10.99.102.0 obj-10.99.102.0
    translate_hits = 3175727, untranslate_hits = 1560228
13 (Inside) to (Outside) source static DM_INLINE_NETWORK_25 DM_INLINE_NETWORK_25
   destination static obj-10.99.105.0 obj-10.99.105.0
    translate_hits = 302785, untranslate_hits = 60229
14 (Inside) to (Outside) source static DM_INLINE_NETWORK_26 DM_INLINE_NETWORK_26
   destination static obj-10.99.103.0 obj-10.99.103.0
    translate_hits = 1389178, untranslate_hits = 504567
15 (Inside) to (Outside) source static DM_INLINE_NETWORK_27 DM_INLINE_NETWORK_27
   destination static obj-10.99.106.0 obj-10.99.106.0
    translate_hits = 1660303, untranslate_hits = 2157854
16 (Inside) to (Outside) source static obj-10.0.0.0 obj-10.0.0.0   destination s
tatic obj-10.99.40.0 obj-10.99.40.0
    translate_hits = 2354888, untranslate_hits = 6824618
17 (Inside) to (Outside) source static obj-10.99.104.0 obj-10.99.104.0   destina
tion static obj-10.99.40.0 obj-10.99.40.0
    translate_hits = 224576, untranslate_hits = 127785
18 (Inside) to (Outside) source static obj-10.99.104.0 obj-10.99.104.0   destina
tion static obj-10.99.101.0 obj-10.99.101.0
    translate_hits = 0, untranslate_hits = 0
19 (Inside) to (Outside) source static obj-10.99.104.0 obj-10.99.104.0   destina
tion static obj-10.99.102.0 obj-10.99.102.0
    translate_hits = 0, untranslate_hits = 0
20 (Inside) to (Outside) source static obj-10.99.104.0 obj-10.99.104.0   destina
tion static obj-10.99.103.0 obj-10.99.103.0
    translate_hits = 0, untranslate_hits = 0
21 (Inside) to (Outside) source static obj-10.99.104.0 obj-10.99.104.0   destina
tion static obj-10.99.104.0 obj-10.99.104.0
    translate_hits = 0, untranslate_hits = 0
22 (Inside) to (Outside) source static obj-10.99.104.0 obj-10.99.104.0   destina
tion static obj-10.99.105.0 obj-10.99.105.0
    translate_hits = 0, untranslate_hits = 0
23 (Inside) to (Outside) source static obj-10.99.104.0 obj-10.99.104.0   destina
tion static obj-10.99.106.0 obj-10.99.106.0
    translate_hits = 0, untranslate_hits = 0
24 (Inside) to (Outside) source static ABCMail_Inside ABCMail_Inside   destinati
on static ABCMail_Outside ABCMail_Outside
    translate_hits = 0, untranslate_hits = 0
25 (Outside) to (Inside) source static TS_Gateway_Outside TS_Gateway_Outside   d
estination static TS_Gateway_Inside TS_Gateway_Inside
    translate_hits = 0, untranslate_hits = 0
26 (Inside) to (Outside) source static any any   destination static NETWORK_OBJ_
10.0.253.8_29 NETWORK_OBJ_10.0.253.8_29 no-proxy-arp route-lookup
    translate_hits = 357, untranslate_hits = 110296
27 (Inside) to (Outside) source static DM_INLINE_NETWORK_30 DM_INLINE_NETWORK_30
   destination static 10.99.41.0 10.99.41.0
    translate_hits = 4080795, untranslate_hits = 1713119
28 (Inside) to (Outside) source static DM_INLINE_NETWORK_34 DM_INLINE_NETWORK_34
   destination static 10.99.10.0 10.99.10.0
    translate_hits = 0, untranslate_hits = 0
29 (Inside) to (Outside) source static DM_INLINE_NETWORK_36 DM_INLINE_NETWORK_36
   destination static 10.0.151.0 10.0.151.0
    translate_hits = 61722, untranslate_hits = 0
30 (Inside) to (Outside) source static DM_INLINE_NETWORK_37 DM_INLINE_NETWORK_37
   destination static 10.99.43.0 10.99.43.0
    translate_hits = 11303, untranslate_hits = 0
31 (Inside) to (Outside) source static DM_INLINE_NETWORK_33 DM_INLINE_NETWORK_33
   destination static 10.99.44.0 10.99.44.0
    translate_hits = 2194240, untranslate_hits = 1851691
32 (Inside) to (Outside) source static DM_INLINE_NETWORK_38 DM_INLINE_NETWORK_38
   destination static 172.17.0.0 172.17.0.0
    translate_hits = 248, untranslate_hits = 0
33 (Inside) to (Outside) source static DM_INLINE_NETWORK_44 DM_INLINE_NETWORK_44
   destination static obj-10.99.40.0 obj-10.99.40.0
    translate_hits = 0, untranslate_hits = 0
34 (Inside) to (Outside) source static obj-10.0.0.0 obj-10.0.0.0   destination s
tatic 172.20.20.0 172.20.20.0
    translate_hits = 35159, untranslate_hits = 22784
35 (Inside) to (Outside) source static obj-10.0.0.0 obj-10.0.0.0   destination s
tatic 172.20.19.0 172.20.19.0
    translate_hits = 21319, untranslate_hits = 33648

Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source static obj-10.0.0.3 1.1.1.69
    translate_hits = 58123, untranslate_hits = 358581
2 (Inside) to (UPM) source static obj-10.0.0.3-01 2.2.2.225
    translate_hits = 26112, untranslate_hits = 13715
3 (Inside) to (Outside) source static obj-10.0.0.13 1.1.1.76
    translate_hits = 46326, untranslate_hits = 61245
4 (Inside) to (Outside) source static obj-10.0.0.14 1.1.1.83
    translate_hits = 1591, untranslate_hits = 59918
5 (any) to (any) source static ABCMail_Inside ABCMail_Outside
    translate_hits = 55207, untranslate_hits = 8095321
6 (Inside) to (Outside) source static obj-10.0.0.26 1.1.1.86
    translate_hits = 0, untranslate_hits = 5154329
7 (Inside) to (Outside) source static obj-10.0.0.27 1.1.1.84
    translate_hits = 2472, untranslate_hits = 56588
8 (any) to (any) source static ABCSSVFC 1.1.1.120
    translate_hits = 53954, untranslate_hits = 571907
9 (Inside) to (Outside) source static obj-10.0.0.30 1.1.1.82
    translate_hits = 55377, untranslate_hits = 72058
10 (any) to (any) source static obj-10.0.0.37 1.1.1.77
    translate_hits = 19179, untranslate_hits = 59706
11 (Inside) to (Outside) source static ABCSINTRA 1.1.1.100
    translate_hits = 0, untranslate_hits = 55968
12 (Inside) to (Outside) source static obj-10.0.0.101 1.1.1.75
    translate_hits = 62761, untranslate_hits = 694872
13 (any) to (any) source static CMSTS 1.1.1.99
    translate_hits = 225953, untranslate_hits = 648932
14 (Inside) to (UPM) source static Citrix2_UPM 2.2.2.226
    translate_hits = 36805, untranslate_hits = 1765
15 (Inside) to (UPM) source static Citrix3_UPM 2.2.2.227
    translate_hits = 5857, untranslate_hits = 368
16 (any) to (any) source static TS_Gateway_Inside 1.1.1.122
    translate_hits = 89762, untranslate_hits = 705554
17 (Inside) to (Outside) source static obj-10.0.0.252 1.1.1.68
    translate_hits = 5483842, untranslate_hits = 2750280
18 (Inside) to (Outside) source static obj-10.0.1.207 1.1.1.73
    translate_hits = 2481, untranslate_hits = 56310
19 (Inside) to (Outside) source static obj-10.0.1.209 1.1.1.87
    translate_hits = 2450, untranslate_hits = 59365
20 (Inside) to (Outside) source static obj-10.0.1.211 1.1.1.78
    translate_hits = 0, untranslate_hits = 55559
21 (any) to (any) source static Patriot-TS 1.1.1.125
    translate_hits = 0, untranslate_hits = 54137
22 (Inside) to (Outside) source static obj-10.0.2.26 1.1.1.74
    translate_hits = 0, untranslate_hits = 53443
23 (Inside) to (UPM) source static obj-10.0.2.52 2.2.2.228
    translate_hits = 0, untranslate_hits = 0
24 (Inside) to (UPM) source static obj-10.0.2.62 2.2.2.229
    translate_hits = 0, untranslate_hits = 0
25 (Inside) to (Outside) source static obj-10.0.2.67 1.1.1.95
    translate_hits = 0, untranslate_hits = 54541
26 (Inside) to (Outside) source static obj-10.0.5.23 1.1.1.90
    translate_hits = 0, untranslate_hits = 55490
27 (Inside) to (UPM) source static obj-10.0.6.5 2.2.2.230
    translate_hits = 0, untranslate_hits = 7
28 (Inside) to (UPM) source static obj-10.0.6.7 2.2.2.231
    translate_hits = 48, untranslate_hits = 8811
29 (Inside) to (UPM) source static obj-10.0.6.15 2.2.2.232
    translate_hits = 0, untranslate_hits = 0
30 (any) to (any) source static 10.0.140.6 1.1.1.117
    translate_hits = 7378, untranslate_hits = 42483
31 (Inside) to (Outside) source static obj-10.99.104.50 1.1.1.94
    translate_hits = 2480, untranslate_hits = 55725
32 (Outside) to (Inside) source static 192.168.200.60 1.1.1.79
    translate_hits = 0, untranslate_hits = 0
33 (dmz) to (Outside) source static 192.168.200.91 1.1.1.89
    translate_hits = 28576, untranslate_hits = 181428
34 (dmz) to (Outside) source static obj-192.168.200.101 1.1.1.96
    translate_hits = 8666, untranslate_hits = 54538
35 (dmz) to (Outside) source static obj-192.168.200.102 1.1.1.102
    translate_hits = 2508, untranslate_hits = 64974
36 (dmz) to (Outside) source static obj-192.168.200.103 1.1.1.103
    translate_hits = 0, untranslate_hits = 53453
37 (dmz) to (Outside) source static obj-192.168.200.104 1.1.1.104
    translate_hits = 0, untranslate_hits = 249459
38 (dmz) to (Outside) source static obj-192.168.200.105 1.1.1.105
    translate_hits = 0, untranslate_hits = 122932
39 (SSC) to (Outside) source dynamic 10.0.140.0 1.1.1.118
    translate_hits = 3810, untranslate_hits = 147
40 (Inside) to (Outside) source dynamic obj_any interface
    translate_hits = 62712504, untranslate_hits = 9620785

3.
interface ethernet 1/g12
no negotiation
switchport mode general
switchport general allowed vlan add 30,140 tagged
exit
Pete LongTechnical ConsultantCommented:
interface Ethernet0/2

This interface should have no config on it if it has sub interfaces?
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

ICSLogisticsAuthor Commented:
So then to fix I would need to remove the native VLAN configuration on the Ethernet0/2 interface and recreate it as a sub-if as the native VLAN?
ICSLogisticsAuthor Commented:
Ok, we ended up taking a different route to reach the same goal.

On the Ethernet0/2.3 interface we put the following incoming rules in place

access-list SSC_access_in extended permit ip any object Mail_Inside
access-list SSC_access_in extended deny ip any 10.0.0.0 255.255.0.0
access-list SSC_access_in extended permit ip any any

This removed the implicit allow to less secured networks which is why we had to add the deny statement to isolate the new domain. And the other two statements allow mail and internet access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ICSLogisticsAuthor Commented:
Identified fix without having to use suggestion.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.