ASA identity NAT between Vlan's problem

Unanswered Question
Mar 3rd, 2009
User Badges:


I'm having trouble trying allowing specific access i.e smpt, http from clients in vlan 1 to servers in vlan 2.

* Both Vlan's access the internet with Dynamic NAT.

* Both Vlan's currently use the same security level

* nat-control is enabled with "same-security-traffic permit inter-interface"

I can get both vlan's happily talking to each other, if I use static identity NAT, or NAT exemption but I want to be more specific and use static identity policy NAT to only include specific ports(minimum access).

i.e Clients in Vlan1 only able to talk to mail servers in Vlan2

Vlan1 = clients

Vlan2 = servers smtp

access-list BLAH extended permit tcp host host eq 25

static (vlan1_inside,vlan2_inside) access-list BLAH

access-list BLAH extended permit tcp host host

static (vlan2_inside,vlan1_inside) access-list BLAH

Perhaps I'm going completely down the wrong track here, and should just be using any-any identity NAT between the Vlan's but instead with a DMZ, and appropriate access-lists?

Any advice would be greatly appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tf2-conky Wed, 03/04/2009 - 12:57
User Badges:

So NAT exemption, and an inbound ACL on the server VLAN to allow specific access?

Does the ACL allow established traffic back in the interface. (Being new to the ASA I'm really only used to dealing with linux firewalls - connection tracking), or do I need to use a higher security level with a DMZ?

tf2-conky Wed, 03/04/2009 - 13:38
User Badges:

Yes that much is obvious.

Perhaps I should clarify.

I want vlan1 to be able to talk to vlan2 on only specific ports.

I want vlan2 to be able to talk to vlan1 with no restrictions, hence the question about "established"

Can the ASA do this(like I can with a linux firewall)?

tf2-conky Wed, 03/04/2009 - 14:43
User Badges:

That's not the question I'm asking here. This is not a linux firewall replacement. I'm seeking a solution, or advice for the scenario from my previous post.

Unfortunately I was not involved in procuring the ASA. The guy who did is no longer here, and I'm now tasked deploying this.

Thanks anyway.

jan.nielsen Wed, 03/04/2009 - 15:02
User Badges:
  • Gold, 750 points or more

First off, i would seperate your nat setup from your filtering acl's, this is two different things in an ASA. So setup your static nat or acl based nat exemption rules on IP only, not tcp/udp or whatever. Then do only incoming acl's on both interfaces, the one on vlan 1 should then allow the specific smtp services like this and probably internet as well :

line 1 allow smtp to vlan 2

line 2 deny all other traffic to vlan 2

line 3 permit any other traffic (internet)

access-list acl_vlan1_in extended permit tcp eq smtp

access-list acl_vlan1_in extended deny ip

access-list acl_vlan1_in extended permit ip any any

then vlan 2 should be allowed to start any connection it wants towards vlan 1 and internet :

access-list acl_vlan2_in extended permit ip any any


This Discussion