02-23-2009 06:46 AM - edited 03-11-2019 07:55 AM
OK here is my situation...
I have two vlans that are on my ASA. However, One VLAN is a tennant of ours, and the other is mine.
I want my tenant to be able to access my network, but ONLY from webvpn connection. However, here is the catch. It uses the same interface as i do. (i just made subinterfaces for both of us)
I Have their traffic pointing to the ISP, with the ISP dns as well. (Basically they can get to the Internet and thats it!)
When i try to get to our secure site from their VLAN it will not hit the site.
What can I do? HELP!!!!!!
Solved! Go to Solution.
02-23-2009 11:55 AM
It makes sense - but it cannot be done the way you want!
02-23-2009 07:22 AM
Post your config for review - remove senstive information.
02-23-2009 09:02 AM
I want information on interface GigabitEthernet0/1.54 to be able to talk to interface GigabitEthernet0/1.17.
i know they are on different Subnet masks, but i want to be able to leave the .54 subinterface and come back in on the .17 interface (through webvpn). It will not hit the site 216.12.5.2(which is the same interface it left to go to the outside world)
BUT i want to be able to do it leaving on the 216.12.5.2 and coming back in on the 216.12.5.2 (same interface)(basically going out to the internet and coming back in) here is my config...
its attached..
02-23-2009 09:16 AM
Sorry that is confusing - just so I am clear you want traffic from "inside_vlan54" to to be able to go to "inside_vlan17" but look like it came from the "outside" interface?
02-23-2009 09:19 AM
yes!...however it will have to go out to the internet, then come back in.
but it is on the same IP address. make sense?
02-23-2009 11:55 AM
It makes sense - but it cannot be done the way you want!
02-23-2009 12:20 PM
Thank you. :)
Since they are using the same interface and same IP i didnt think so.
NOTE TO SELF:
Subinterfaces that share the same IP address will not communicate with each other if they go out to the Internet Cloud!!!!!
THank you!!!!
02-23-2009 01:17 PM
np - glad to help.
Can you tell me why you need to do it this way, as there might be another way of doing it?
02-23-2009 01:40 PM
Sure,
I was trying to avoid using our remaining OUTSIDE IP addresses that our ISP gave us and I didnt want to use the Last interface on the ASA.
A way to beat this is two options:
1. Buy a Pix firewall so you would have a separate Interface.
2. Use another Outside IP address different from the one your on that way your leaving a interface and coming back in on a separate interface.
Agree?
02-23-2009 11:26 PM
Mmmmm - can you draw a diagram on what what you think the traffic flow would be for your solution.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: