11-16-2007 01:56 PM - edited 03-11-2019 04:32 AM
Good Day Everyone,
This is my first post here, and praying for a solution.
My scenario is as follows.
The setup involves
1 Catalyst 2950
1 Catalyst 3750G
1 ASA 5520
My objective is to configure to additional subnets using ASA subinterfaces as the Vlan gateways.
For this question we will use on the ASA 5520
one interface for server interaction
one interface for all user interaction.
Core Switch Catalyst 3750G
Current VLan configuration
VLAN 1 Server interface 0/0
VLAN 10 clients interface 0/1
These VLans are spread on both switches and communicate well.
So now, I created two additional vlans on the core switch,
VLAN 20 clients2
VLAN 30 clients3
Using the Catalyst 2950, I assigned two computers to vlan 20 and 30 respectively.
I configured the trunk on the 2950 interface as follows
interface FastEthernet0/20
switchport trunk native vlan 10
switchport trunk allowed vlan 20,30
switchport mode trunk
end
and its connecting interface on the 3750G configured as
interface GigabitEthernet1/0/30
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 20,30
switchport mode trunk
end
The switch interface to ASA is configured as follows
interface GigabitEthernet1/0/40
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30
switchport mode trunk
end
So after configuring this I configured the ASA interfaces as follows:
interface GigabitEthernet0/1
nameif clients
security-level 80
ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
interface GigabitEthernet0/1.20
vlan 20
nameif clients2
security-level 80
ip address 172.16.20.1 255.255.255.0 standby 172.16.20.2
interface GigabitEthernet0/1.30
vlan 30
nameif clients3
security-level 80
ip address 172.16.30.1 255.255.255.0 standby 172.16.30.2
Then I typed the command
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
The clients setup 172.168.10.3, 20.3, 30.3 were all able to ping their respective gateways.
So now to ping the server interface, The following was added using static NAT rule with ASDM 5.2 (I'm still learning CLI for ASA, so please excuse me)
I'll do the print out on ASA. (sh nat servers/clients/...2/...3)
Servers
match ip servers 172.16.1.0 255.255.255.0 clients any static translation to 172.16.1.0
match ip servers 172.16.1.0 255.255.255.0 clients2 any static translation to 172.16.1.0
match ip servers 172.16.1.0 255.255.255.0 clients3 any static translation to 172.16.1.0
Clients
match ip clients 172.16.10.0 255.255.255.0 servers any static translation to 172.16.10.0 (this is my entry)
match ip clients 172.16.10.0 255.255.255.0 clients any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how)
match ip clients 172.16.10.0 255.255.255.0 clients2 any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how)
match ip clients 172.16.10.0 255.255.255.0 clients3 any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how)
Plus there are other rules there taht should only be there for the clients but the same is there for all the other nameif regqrding pats
Clients2
match ip clients2 172.16.20.0 255.255.255.0 servers any static translation to 172.16.20.0
clients3
match ip clients3 172.16.30.0 255.255.255.0 servers any static translation to 172.16.30.0
So after adding this in ASDM they can ping the server network.
The problem now exists that they cannot ping each other on the same interface can anyone shed some light now.
Question as well with the command
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface, would I have to configure rules for them to talk to each other provided the first issue is resolved?
11-19-2007 04:12 AM
Can anyone please help?
11-19-2007 06:54 AM
You still need to create acl's allowing the traffic between the interfaces.
11-19-2007 12:50 PM
Doesn't
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
do this?
by the way though i've configured all subnets on the subinterface to allow ip and still no resolution.
11-19-2007 05:08 PM
I know for sure you need the ACLs on the FWSM. I am not 100% sure for ASA or PIX.
Satya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide