I'm having trouble trying allowing specific access i.e smpt, http from clients in vlan 1 to servers in vlan 2.
* Both Vlan's access the internet with Dynamic NAT.
* Both Vlan's currently use the same security level
* nat-control is enabled with "same-security-traffic permit inter-interface"
I can get both vlan's happily talking to each other, if I use static identity NAT, or NAT exemption but I want to be more specific and use static identity policy NAT to only include specific ports(minimum access).
i.e Clients in Vlan1 only able to talk to mail servers in Vlan2
Vlan1 = 192.168.1.0/24 clients
Vlan2 = 192.168.2.0/24 servers smtp
access-list BLAH extended permit tcp host 192.168.1.1 host 192.168.2.1 eq 25
static (vlan1_inside,vlan2_inside) 192.168.1.1 access-list BLAH
access-list BLAH extended permit tcp host 192.168.2.1 host 192.168.1.1
static (vlan2_inside,vlan1_inside) 192.168.2.1 access-list BLAH
Perhaps I'm going completely down the wrong track here, and should just be using any-any identity NAT between the Vlan's but instead with a DMZ, and appropriate access-lists?
Any advice would be greatly appreciated