ASA 5505 VLAN Restriction

Unanswered Question
Mar 29th, 2009
User Badges:

Hi


I have Problem with an ASA 5505 (Base License).

I have 3 VLAN (vlan1,vlan2,vlan3) i restricted the communication between vlan 1 and vlan 3 because of the licence.


interface Vlan1

no forward interface vlan 3


The communication to and from vlan2 works vom both vlans, but if i want initiate a connection from vlan3 into vlan 1 it doesn t work (Access-List is OK).

I get the message that the connected denyed.


Is it possible to initiate a connection from vlan3 to vlan1?

I think the only restriction because of the licence is to initiate a connection from vlan1 into vlan3 and not from vlan3 into vlan1.


Is there something special to do?

Thanks.


Best regards

Michael


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mrichter0474 Mon, 03/30/2009 - 04:13
User Badges:

Hi


Sorry I forgot to post the error Message.


I get following Message:


Mar 30 2009 12:15:46: %ASA-2-106001: Inbound TCP connection denied from 10.123.123.43/1028 to 192.168.4.234/80 flags SYN on interface inside2




vikram_anumukonda Mon, 03/30/2009 - 04:46
User Badges:
  • Bronze, 100 points or more

what are the security levels on the three interfaces , the log message doesn't say much


"Explanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by the security policy that is defined for the specified traffic type"

mrichter0474 Mon, 03/30/2009 - 07:54
User Badges:

Hi


The securitylevels are:


outside = 0

inside = 100

inside2 = 100




vikram_anumukonda Mon, 03/30/2009 - 07:57
User Badges:
  • Bronze, 100 points or more

do you have " same-security-traffic permit inter-interface " configured, if not configure it and check the connectivity



kwillacey Wed, 06/24/2009 - 15:21
User Badges:
  • Bronze, 100 points or more

If the ASA has a site to site VPN will vlan 3 be able to initiate a connection across the VPN?

Actions

This Discussion