10-23-2007 07:29 AM - edited 03-11-2019 04:29 AM
hi guys.
i would like to know how to provide access from all my vlans that reside on my asa 5505 to certain network resources, such as mail server,file srv, network printers....
my network layout is as follows:
2811=>ASA5505=>CATALYST Express 500
the 2811 only connects to the internet, and with static nat, gives everything that comes to my public ip to its inside fa0/0. the asa then does everything else. all the vlans reside on the asa5505, and all the routing and natting happens on the asa5505.
I have enabled the inter and intra-vlan routing, but no success.
example:
i want a client that reside on vlan2 with an ip of 192.168.2.5 and default gateway 192.168.2.1 (asa5505) to be able to access a printer on 192.168.3.11(vlan3) and a client on 192.168.3.23(vlan3) to be able to access the mail server on 192.168.2.2(vlan2)
Please Help?!?!?!
10-23-2007 08:19 AM
How many VLANs do you have? Do you want everything to communicate between the VLANs or just somethings like printing?
10-23-2007 08:22 AM
i have 3 vlans.
i dont want everything to communicate amongst eachother in the vlans.
i want all users from all vlans to be able to have access to my mailserver,to network printers, and a network storage.
10-23-2007 08:36 AM
You'll need to look at doing same security interfaces or NAT, along with ACLs. You need to document IPs, ports, and protocols for communications between systems. Once that is done you can start to make configuration changes.
10-23-2007 08:48 AM
i already have all of this documented.
what type of config changes do i need to make?
when you say protocols, you mean smtp,http etc,dns etc??
my server resides at 192.168.2.2
my network printer is 192.168.3.11
i need users from all vlans to be able to access the above mentioned network resources.
i am posting my asa 5505 config so you can better understand, so you could perhaps help me better!thank you!!
10-24-2007 05:23 AM
Here is what I would do. I would permit same-security interface.
By default, interfaces on the same security level cannot communicate with each other. Allowing
communication between same security interfaces lets traffic flow freely between all same security
interfaces without access lists.
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.
To enable interfaces on the same security level so that they can communicate with each other, enter the
following command:
hostname(config)# same-security-traffic permit inter-interface
To disable this setting, use the no form of this command.
Then create an ACL to allow traffic from your host on one network to the printer, storage, etc on the other.
Example:
access-list extended inside1_to_inside2 permit tcp 192.168.2.0 255.255.255.0 host 192.168.3.5 eq 9100
Don't forget to apply the ACL to the interface and in the right direction.
access-group inside1_to_inside2 in interface inside1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: