4 Replies Latest reply on May 5, 2014 10:49 AM by jayh

    Private Vlan to Private Vlan shows public vlan IP as source address

    mrchrisosburn New Member

      Hi all,

       

      Not sure where to start with this but when i have inter-vlan communication the source address for the receiving vlan is the address for the public vlan interface.

      I just built out the config on this router yesterday and im sure im just missing a small thing.

       

      Thanks in advance

      -Christopher

        • Re: Private Vlan to Private Vlan shows public vlan IP as source address
          jayh Hall_of_Fame

          I'm having difficulty understanding what the problem is.  By design the source IP of the connection traverses the network by default. This is the way that return traffic can be forwarded to the source.

           

          Could you give a specific example of from what source IP and interface and to what destination IP and interface you are testing as well as what you are seeing and what you are expecting. 

           

          It also seems as if you have disabled route-cache on all of your interfaces, why?

           

          VPN configuration also seems incomplete. 

          1 of 1 people found this helpful
            • Re: Private Vlan to Private Vlan shows public vlan IP as source address
              mrchrisosburn New Member

              Hi jayh,

               

              Thanks for getting back to me so quickly.

              The issue is there are a few PC's on the voice side of the network and when they connect to something on the data side the source ip address is that of the default vlan.

              So when 192.168.200.50 connects to 10.0.0.253, the source address on 10.0.0.253 is 67.50.xx.xx. Its like its preforming NAT internally, which is something i would like to avoid.

               

              I saw route cache was disabled after i posted, it was a default configuration and i over looked it. Its enabled now

               

              VPN configuration was removed from the uploaded document.   

               

              Thanks

              -Christopher

               

              P.S. I saw you were the featured member on the home page, congratulations

            • Re: Private Vlan to Private Vlan shows public vlan IP as source address
              mrchrisosburn New Member

              I figured it out

               

              There was an auto-generated NAT policy "NAT list wizard-ics" which had the destination security zone to "<Any Security Zone>". I changed it to "Public", added allow policies for the two vlans and now everything is working as it should.

               

              Thanks for your help jayh. If you wouldnt of replied it would of never dawned on me it was preforming NAT internally

               

              -Christopher

              • Re: Private Vlan to Private Vlan shows public vlan IP as source address
                jayh Hall_of_Fame

                One thing to do if you have several interfaces in the same zone that you want to communicate:

                 

                Create an ACL to allow any

                 

                ip access-list extended pvt-all-list

                  remark allow pvt-to-pvt

                  permit ip any  any     log

                 

                Then apply that first in the security zone with policy of the same zone:

                 

                ip policy-class Private

                  allow list pvt-all-list policy Private

                  nat source list web-acl-5 address XXXXXXXXXX overload policy Public

                  nat source list web-acl-6 address XXXXXXXXXX overload policy Public

                  nat source list web-acl-7 address XXXXXXXXXX overload policy Public

                [...]


                Because the policy-classes are evaluated top-down this will ensure that your inter-VLAN same-policy traffic gets processed before any other rules

                1 of 1 people found this helpful