Unanswered Question


Today i use Cisco 2811 router for inter-vlan routing.

I must a lot of time add or modify Access-list for policy routing.

Ant it is not very easy with CLI command

I want change this router with ASA Firewall for inter vlan routing.

It is better to manage Access-list with ASDM interface. But i have this problem :

Each Sub Interface is configure with the VLAN id.

But Firewall use different security level for this interface. And if i want establish routing between Lower security level interface to higher security level interface i must create A static Nat for each IP address.

Does anyone know if it is possible to doing routing inter-vlan without using Static nat, but only access-list like a router

Thanks for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steve Lyons Sat, 06/28/2008 - 06:06
User Badges:
  • Cisco Employee,

If you require NAT then you will have to use static NAT for traffic flows from low to high security level interfaces. If you do not require NAT then you could turn off NAT with the command no nat-control. Then global/nat and or static NAT is not required. With NAT Control off you can still use access lists to control which traffic is allowed in or out per interface.

dhananjoy chowdhury Sat, 06/28/2008 - 07:25
User Badges:
  • Silver, 250 points or more


By default, it will be "no nat-control", so NATting is not required for routing between interfaces.

Now migrating your inter-vlan routing and access-control to the ASA -

- you can use individual interfaces for individual VLAN, provided you have enough interfaces....

- ASA supports sub-interfaces, so you could possibly use 1 interface for porting multiple vlans to just a single interface with granular access controls and routing between these VLAN's.

Hope this helps.




This Discussion