ASA 5505 Firewall

Unanswered Question
Oct 9th, 2008
User Badges:

I'm setting up an ASA 5505 in transparent mode and can't pass layer 3 traffic between vlans. This is a simple config and I'm not sure why it's not working. Here's how I have the interfaces configured.


int Vlan 100

nameif INSIDE

Security level 100


int Vlan 2

nameif OUTSIDE

Security level 0


int e0/0

switchport access vlan 100


int e0/1

switchport access vlan 2


access-list 101 permit tcp any host x.x.x.x eq 443

access-list 101 deny ip any any log


access-group 101 in interface INSIDE


The documentation as well as the Cisco engineer assigned to my ticket, says that all I need to do is apply the access-list to the inside interface and layer 3 traffic should get bridged between the vlans but it hasn't worked. If I put both interfaces in the same vlan, obviously it works fine but as soon as I assign the interfaces to different vlans traffic can't pass through. I've tried creating two vlans with the same security level, with the command to permit same security level interfaces to communicate and traffic still doesn't bridge between vlans. When I look at the access list the hit count is 0. I've enabled logging at the debug level and nothing shows. This issue appears to be bridging between vlans. Supposedly, in order to pass layer 3 traffic all I need is an extended access-list but there's no info showing how the configuration should be. Any help would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Thu, 10/09/2008 - 20:12
User Badges:
  • Cisco Employee,

Brian,


Other than the access-list on the outside interface missing, I dont see anything wrong with the configuration.


Can you configure an access-list on the outside interface that permits the necessary traffic and do the testing.


Regards,

Arul


** Please rate all helpful posts **

bddorsey55 Fri, 10/10/2008 - 05:13
User Badges:

Thanks for the reply. There's no acl on the outside int b/c the originating traffic is only going in one direction. The connection will be established from out private network out across a p2p link to a server in Detroit. The only traffic allowed back, will be an established connection. By the way, I did put an acl on the outside int just for the hell of it and still didn't work. As far as you know is there anything that would prevent a 5505 from bridging traffic between vlans?

Actions

This Discussion