ASA 5505 help

Unanswered Question
Oct 23rd, 2007

hi guys.

i would like to know how to provide access from all my vlans that reside on my asa 5505 to certain network resources, such as mail server,file srv, network printers....

my network layout is as follows:

2811=>ASA5505=>CATALYST Express 500

the 2811 only connects to the internet, and with static nat, gives everything that comes to my public ip to its inside fa0/0. the asa then does everything else. all the vlans reside on the asa5505, and all the routing and natting happens on the asa5505.

I have enabled the inter and intra-vlan routing, but no success.

example:

i want a client that reside on vlan2 with an ip of 192.168.2.5 and default gateway 192.168.2.1 (asa5505) to be able to access a printer on 192.168.3.11(vlan3) and a client on 192.168.3.23(vlan3) to be able to access the mail server on 192.168.2.2(vlan2)

Please Help?!?!?!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 10/23/2007 - 08:19

How many VLANs do you have? Do you want everything to communicate between the VLANs or just somethings like printing?

konstaninosoregano Tue, 10/23/2007 - 08:22

i have 3 vlans.

i dont want everything to communicate amongst eachother in the vlans.

i want all users from all vlans to be able to have access to my mailserver,to network printers, and a network storage.

Collin Clark Tue, 10/23/2007 - 08:36

You'll need to look at doing same security interfaces or NAT, along with ACLs. You need to document IPs, ports, and protocols for communications between systems. Once that is done you can start to make configuration changes.

konstaninosoregano Tue, 10/23/2007 - 08:48

i already have all of this documented.

what type of config changes do i need to make?

when you say protocols, you mean smtp,http etc,dns etc??

my server resides at 192.168.2.2

my network printer is 192.168.3.11

i need users from all vlans to be able to access the above mentioned network resources.

i am posting my asa 5505 config so you can better understand, so you could perhaps help me better!thank you!!

Attachment: 
Collin Clark Wed, 10/24/2007 - 05:23

Here is what I would do. I would permit same-security interface.

By default, interfaces on the same security level cannot communicate with each other. Allowing

communication between same security interfaces lets traffic flow freely between all same security

interfaces without access lists.

If you enable same security interface communication, you can still configure interfaces at different

security levels as usual.

To enable interfaces on the same security level so that they can communicate with each other, enter the

following command:

hostname(config)# same-security-traffic permit inter-interface

To disable this setting, use the no form of this command.

Then create an ACL to allow traffic from your host on one network to the printer, storage, etc on the other.

Example:

access-list extended inside1_to_inside2 permit tcp 192.168.2.0 255.255.255.0 host 192.168.3.5 eq 9100

Don't forget to apply the ACL to the interface and in the right direction.

access-group inside1_to_inside2 in interface inside1

Actions

This Discussion