Cisco ASA 5505 - InterVLAN NAT Exemptions Implementation not working

Posted by Brandon Bearden on Server Fault See other posts from Server Fault or by Brandon Bearden
Published on 2012-12-04T23:14:32Z Indexed on 2012/12/05 11:09 UTC
Read the original article Hit count: 196

Filed under:
|

Short version is we cannot communicate between our subnets.

We have a Cisco ASA 5505 we are using for our network router. We have a Netgear L3 switch behind that with 10 vlans. Each VLAN is on its own subnet. (10.0.10.x/24, 10.0.11.x/24, etc)

So ASA >>> Switch >>> Hosts

We have PAT for each subnet to our outside interface. Each subnet NATs out properly.

I have NAT exemption enabled for 2 of the subnets (eventually I will need all, but am just testing at the moment).

Config is here: http://pastebin.com/pDsG7hsh

I have tried multiple ways for the NAT exemption to allow all traffic from our inside VLANS. At this point in time I am trying to get "Engineering" to communicate with all hosts on "AuthUser".

I can ping some hosts, but not as many as if I am directly on the interface. I can reach a port 80 service, but not 443. I cannot access anything via hostname or NetBIOS.

What am I missing to allow higher security level interfaces to fully communicate with lower security level interfaces?

Thx!

© Server Fault or respective owner

Related posts about nat

Related posts about cisco-asa