Search similar:
|
|
uniqs 353 |
|
|
|
2 edits |
[HELP] More ASA woes...This one is going to be an easy answer but I just can't see it! I have a working VPN using the Cisco EZVPN client and when I am on it I can ping anything on the default VLAN, which is VLAN 10, 192.168.10.x However I cannot ping anything on any other VLAN, 192.168.20.x, 192.168.30.x etc etc. Here's the full config. What dumb-arsery am I missing? ASA# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA
domain-name cisco.com
enable password xxxxxx
passwd xxxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
vlan 20
nameif vlan20
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
vlan 30
nameif vlan30
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface GigabitEthernet0/0.35
vlan 35
nameif vlan35
security-level 100
ip address 192.168.35.1 255.255.255.0
!
interface GigabitEthernet0/0.40
vlan 40
nameif vlan40
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface GigabitEthernet0/0.60
vlan 60
nameif vlan60
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface GigabitEthernet0/0.70
vlan 70
nameif vlan70
security-level 100
ip address 192.168.70.1 255.255.255.0
!
interface GigabitEthernet0/0.80
vlan 80
nameif vlan80
security-level 100
ip address 192.168.80.1 255.255.255.0
!
interface GigabitEthernet0/0.90
vlan 90
nameif vlan90
security-level 100
ip address 192.168.90.1 255.255.255.0
!
interface GigabitEthernet0/0.100
vlan 100
nameif vlan100
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description WAN interface
nameif outside
security-level 0
ip address 62.x.x.x 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock summer-time BST recurring last Sun Mar 1:00 last Sun Sep 1:00
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list vlan35 extended permit tcp 192.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 192.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 192.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 5.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 92.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 94.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 174.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 192.x.x.x 255.255.252.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.252.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp any host 62.x.x.x eq 20001
access-list vlan35 extended permit tcp any host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp any host 62.x.x.x eq 3389
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq www
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq ftp-data
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq ftp
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq 57612
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq 10050
access-list vlan35 extended permit tcp any host 62.x.x.x eq 38880
access-list vlan35 extended permit tcp any host 62.x.x.x eq 38881
access-list vlan35 extended permit tcp any host 62.x.x.x eq 6000
access-list vlan35 extended permit udp any host 62.x.x.x eq 38880
access-list vlan35 extended permit udp any host 62.x.x.x eq 38881
access-list vlan35 extended permit udp any host 62.x.x.x eq 6000
access-list EZVPN standard permit 192.168.10.0 255.255.255.0
access-list EZVPN standard permit 192.168.20.0 255.255.255.0
access-list EZVPN standard permit 192.168.30.0 255.255.255.0
access-list EZVPN standard permit 192.168.35.0 255.255.255.0
access-list EZVPN standard permit 192.168.60.0 255.255.255.0
access-list EZVPN standard permit 192.168.70.0 255.255.255.0
access-list EZVPN standard permit 192.168.80.0 255.255.255.0
access-list EZVPN standard permit 192.168.90.0 255.255.255.0
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.10.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.20.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.20.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.30.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.30.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.35.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.35.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.40.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.60.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.70.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.70.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.80.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.80.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.90.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.90.0 255.255.255.0 172.16.1.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan20 1500
mtu vlan30 1500
mtu vlan35 1500
mtu vlan40 1500
mtu vlan60 1500
mtu vlan70 1500
mtu vlan80 1500
mtu vlan90 1500
mtu outside 1500
mtu management 1500
mtu vlan100 1500
ip local pool vpn 172.16.1.1-172.16.1.30 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat_vpn
nat (inside) 1 192.168.10.0 255.255.255.0 outside
nat (vlan20) 0 access-list no_nat_vpn
nat (vlan20) 1 192.168.20.0 255.255.255.0 outside
nat (vlan30) 0 access-list no_nat_vpn
nat (vlan30) 1 192.168.30.0 255.255.255.0 outside
nat (vlan35) 0 access-list no_nat_vpn
nat (vlan35) 1 192.168.35.0 255.255.255.0 outside
nat (vlan40) 0 access-list no_nat_vpn
nat (vlan40) 1 192.168.40.0 255.255.255.0 outside
nat (vlan60) 0 access-list no_nat_vpn
nat (vlan60) 1 192.168.60.0 255.255.255.0 outside
nat (vlan70) 0 access-list no_nat_vpn
nat (vlan70) 1 192.168.70.0 255.255.255.0 outside
nat (vlan80) 0 access-list no_nat_vpn
nat (vlan80) 1 192.168.80.0 255.255.255.0 outside
nat (vlan90) 0 access-list no_nat_vpn
nat (vlan90) 1 192.168.90.0 255.255.255.0 outside
nat (vlan100) 1 192.168.100.0 255.255.255.0 outside
static (vlan35,outside) tcp interface smtp 192.168.35.10 smtp netmask 255.255.255.255
static (vlan35,outside) tcp interface 3389 192.168.35.10 3389 netmask 255.255.255.255
static (vlan80,outside) tcp interface 38881 192.168.80.120 38881 netmask 255.255.255.255
static (vlan80,outside) tcp interface 38880 192.168.80.120 38880 netmask 255.255.255.255
static (vlan90,outside) tcp interface www 192.168.90.51 www netmask 255.255.255.255
static (vlan90,outside) tcp interface 10050 192.168.90.51 10050 netmask 255.255.255.255
static (vlan90,outside) tcp interface ftp-data 192.168.90.51 ftp-data netmask 255.255.255.255
static (vlan90,outside) tcp interface ftp 192.168.90.51 ftp netmask 255.255.255.255
static (vlan90,outside) udp interface 57612 192.168.90.51 57612 netmask 255.255.255.255
static (vlan80,outside) tcp interface 6000 192.168.80.126 6000 netmask 255.255.255.255
static (vlan80,outside) udp interface 38881 192.168.80.120 38881 netmask 255.255.255.255
static (vlan80,outside) udp interface 38880 192.168.80.120 38880 netmask 255.255.255.255
static (vlan80,outside) udp interface 6000 192.168.80.126 6000 netmask 255.255.255.255
static (vlan35,outside) tcp interface 20001 192.168.35.10 20001 netmask 255.255.255.255
static (inside,vlan20) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan20,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan20,vlan30) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan30,vlan20) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,vlan30) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan30,inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,vlan60) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan60,inside) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,vlan70) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan70,inside) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (inside,vlan80) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan80,inside) 192.168.80.0 192.168.80.0 netmask 255.255.255.0
static (inside,vlan90) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan90,inside) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
static (inside,vlan35) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan35,inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (inside,management) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (management,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan40,vlan20) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (vlan20,vlan40) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,vlan100) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan100,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (vlan35,vlan20) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (vlan20,vlan35) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan100,vlan35) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan20,vlan60) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan60,vlan20) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (vlan20,vlan100) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan100,vlan20) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (vlan20,vlan70) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan70,vlan20) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (vlan20,vlan80) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan80,vlan20) 192.168.80.0 192.168.80.0 netmask 255.255.255.0
static (vlan20,vlan90) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan90,vlan20) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
access-group vlan35 in interface outside
route outside 0.0.0.0 0.0.0.0 62.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tunnel esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map tunnel 1 set transform-set tunnel
crypto map tunnel 1 ipsec-isakmp dynamic tunnel
crypto map tunnel interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
no crypto isakmp nat-traversal
telnet timeout 30
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 vlan20
ssh 192.168.60.0 255.255.255.0 vlan60
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 141.40.103.101
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
svc profiles iconconnect disk0:/iconconnect.xml
svc enable
group-policy EZVPN internal
group-policy EZVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN
username xxxxxx password xxxxxx encrypted privilege 15
tunnel-group tunnel type remote-access
tunnel-group tunnel general-attributes
address-pool vpn
default-group-policy EZVPN
tunnel-group tunnel ipsec-attributes
pre-shared-key *****
tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
default-group-policy EZVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
Thanks... | | Nubiatechsoy capitan join:2007-09-02 Chicago, IL |
Before bothering with the nat statements, first take a looks at how the trunking is setup. You don't have a vlan 10 defined on the ASA itself. Since you stated that 192.168.10.0/24 works, that means traffic to this subnet lands on the default native vlan, untagged on the egress, and also inbound traffic is received from the switch's trunk untagged as well.
tldr; check switch trunk configs first: allowed vlans, native vlan, etc ... | | |
Switch config is fine. It's the one thing I am sure about! The ASA not so much... VLAN 10 is on the physical Gig 0/0, or so I thought! | | Nubiatechsoy capitan join:2007-09-02 Chicago, IL |
to markysharkey
Ok, I take it that the switch is configured properly, and that the following checks out: 1. Switch trunk port to the ASA is configured to allow all vlans. 2. Each access port is set to access the correct vlan.
Now, there is no vlan 10 on this ASA. We already established that traffic to the working subnet is carried over native vlans, untagged.
Just to be on the safe side, can you verify the ASA interfaces: 1. Clear the interface statistics: "clear interface". This will just clear the counters. 2. Clear asp drop stats: "clear asp drop" 3. Try to generate some traffic to all vlan if possible, or wait for a few minutes, then check the interface counters: sho interface | i error|drops|line This will show if there are any L2 issues, verify L2/L3 interfaces are up. 4. sho asp drop frame 5. sho asp drop flow
After that, can you post the output of: show xlate show nat | | |
Cleared the counters. It's a line site so traffic appears immediately. Here's the output ASA# sho asp drop frame
Invalid encapsulation (invalid-encap) 2
Flow is denied by configured rule (acl-drop) 259
First TCP packet not SYN (tcp-not-syn) 3
TCP RST/FIN out of order (tcp-rstfin-ooo) 8
Last clearing: 15:44:02 UTC Oct 14 2014 by enable_15
ASA# sho asp drop flow
Inspection failure (inspect-fail) 2
Last clearing: 15:44:02 UTC Oct 14 2014 by enable_15
sho nat and sho xlate output is enormous! What am I looking for? Maybe I can sub it down a bit? | | Nubiatechsoy capitan join:2007-09-02 Chicago, IL |
said by markysharkey:sho nat and sho xlate output is enormous! What am I looking for? Maybe I can sub it down a bit? We're looking for the nat order, and also to verify the xlate slots are created and nat sessions are up. In this case, you can do show nat, and grep for the subnet that is working and compare it to the non-working subnets. Did you verify there are no L2 drops or any other issues on the interfaces? sho interface | i error|drops|line | | |
to markysharkey
said by markysharkey:nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat_vpn
nat (inside) 1 192.168.10.0 255.255.255.0 outside
nat (vlan20) 0 access-list no_nat_vpn
nat (vlan20) 1 192.168.20.0 255.255.255.0 outside
nat (vlan30) 0 access-list no_nat_vpn
nat (vlan30) 1 192.168.30.0 255.255.255.0 outside
nat (vlan35) 0 access-list no_nat_vpn
nat (vlan35) 1 192.168.35.0 255.255.255.0 outside
nat (vlan40) 0 access-list no_nat_vpn
nat (vlan40) 1 192.168.40.0 255.255.255.0 outside
nat (vlan60) 0 access-list no_nat_vpn
nat (vlan60) 1 192.168.60.0 255.255.255.0 outside
nat (vlan70) 0 access-list no_nat_vpn
nat (vlan70) 1 192.168.70.0 255.255.255.0 outside
nat (vlan80) 0 access-list no_nat_vpn
nat (vlan80) 1 192.168.80.0 255.255.255.0 outside
nat (vlan90) 0 access-list no_nat_vpn
nat (vlan90) 1 192.168.90.0 255.255.255.0 outside
nat (vlan100) 1 192.168.100.0 255.255.255.0 outside
static (vlan35,outside) tcp interface smtp 192.168.35.10 smtp netmask 255.255.255.255
static (vlan35,outside) tcp interface 3389 192.168.35.10 3389 netmask 255.255.255.255
static (vlan80,outside) tcp interface 38881 192.168.80.120 38881 netmask 255.255.255.255
static (vlan80,outside) tcp interface 38880 192.168.80.120 38880 netmask 255.255.255.255
static (vlan90,outside) tcp interface www 192.168.90.51 www netmask 255.255.255.255
static (vlan90,outside) tcp interface 10050 192.168.90.51 10050 netmask 255.255.255.255
static (vlan90,outside) tcp interface ftp-data 192.168.90.51 ftp-data netmask 255.255.255.255
static (vlan90,outside) tcp interface ftp 192.168.90.51 ftp netmask 255.255.255.255
static (vlan90,outside) udp interface 57612 192.168.90.51 57612 netmask 255.255.255.255
static (vlan80,outside) tcp interface 6000 192.168.80.126 6000 netmask 255.255.255.255
static (vlan80,outside) udp interface 38881 192.168.80.120 38881 netmask 255.255.255.255
static (vlan80,outside) udp interface 38880 192.168.80.120 38880 netmask 255.255.255.255
static (vlan80,outside) udp interface 6000 192.168.80.126 6000 netmask 255.255.255.255
static (vlan35,outside) tcp interface 20001 192.168.35.10 20001 netmask 255.255.255.255
static (inside,vlan20) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan20,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan20,vlan30) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan30,vlan20) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,vlan30) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan30,inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,vlan60) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan60,inside) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,vlan70) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan70,inside) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (inside,vlan80) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan80,inside) 192.168.80.0 192.168.80.0 netmask 255.255.255.0
static (inside,vlan90) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan90,inside) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
static (inside,vlan35) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan35,inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (inside,management) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (management,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan40,vlan20) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (vlan20,vlan40) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,vlan100) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan100,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (vlan35,vlan20) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (vlan20,vlan35) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan100,vlan35) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan20,vlan60) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan60,vlan20) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (vlan20,vlan100) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan100,vlan20) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (vlan20,vlan70) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan70,vlan20) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (vlan20,vlan80) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan80,vlan20) 192.168.80.0 192.168.80.0 netmask 255.255.255.0
static (vlan20,vlan90) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan90,vlan20) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
Thanks... As Nubiatech mentioned of Order of NAT, you may need to clean up the static and nat commands. Some nat commands can be consolidated by using access-lists. You should also migrate certain static commands into nat 0 commands. | |
|