04-25-2009 03:36 AM - edited 03-11-2019 08:23 AM
Hi,
I have ASA5510 whose INSIDE interface is connected to a Cisco Cat 2960G switch (L2),Now I have 3 VLAN configured in the Cisco2960G,and a TRUNK port is connected to a ASA5510 Inside interface,that inside interface is configured as a TRUNK,which is automatic (802.1q enabled),in this case Is it possible to have the Inter VLAN communication between these 3 VLANs.If so,how to do it,or is there any requirement of L3 switch or router to have this interVLAN communication?
Please clarify my doubts.
Regards,
Newzion123.
04-25-2009 06:57 AM
Newzion123
Yes the ASA will allow the inter-vlan communication so you don't need an additional L3 switch/router.
First for configuring subinterfaces -
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
then you can either
1) give each subinterface a different security level and setup NAT and access-lists as you would with normal physical interfaces
or
2) give the subinterfaces the same security level and then add this to your config -
ASA(config)# same-security-traffic permit inter-interface
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html#wp1039276
Jon
04-26-2009 04:44 AM
Ji Jon,
thanks a lot for extending your support,i will try doing the same and let me inform you.
Regards,
newzion.
04-25-2009 11:45 PM
On the ASA5510 inside interface, you need to create subinterface (vlans) and name them (nameif) appropriately. You may assign same security-level to all the subinterfaces; if you do, you will need to config the command "same-security-traffic permit inter-interface" in global configuration. I hope this helps
04-26-2009 04:48 AM
Hi,
Thanks ,I will try this....
Regards,
Newzion123
04-26-2009 11:13 PM
inter-vlan routing in PIX/ASA is not working as it is intended to...i believe PIX/ASA have an L3 engine which takes care of this routing stuff (as otherwise, it would not have support for RIP and OSPF in v7.2)...but for some reasons, i am not able to get the box do it...any help from the experts would be greatly appreciated...
i have the following topology
FW1(PIX)---FW2(PIX)
| |
| |
CoreSw1---CoreSw2
| |
\ /
\ /
AccessSwitch
/ \
/ \
PC1 PC2
the relevant configurations from my PIX is below...PIX1 and PIX2 are in Failover Cluster Mode...no question of NAT as i have disabled it using the Global configuration command "no nat-control"
interface e1
nameif TRUNK
security-level 100
no ip address
interface e1.10
vlan 10
nameif RMS-SD
security-level 100
ip address 10.116.205.130 255.255.255.128
interface e1.80
vlan 80
nameif RMS-DS
security-level 100
ip address 10.116.217.1 255.255.255.0
access-list inbound_in extended permit ip any any
access-list outbound_out extended permit ip any any
access-group inbound_in in RMS-SD
access-group inbound_in in RMS-DS
access-group outbound_out out RMS-SD
access-group outbound_out out RMS-DS
access-group inbound_in in TRUNK
access-group outbound_out out TRUNK
same-security-level permit inter-interface-traffic
same-security-level permit intra-interface-traffic
PC1 Gateway (PIX) : 10.116.205.130
PC1 interface IP : 10.116.205.132
PC2 Gateway (PIX) : 10.116.217.1
PC2 interface IP : 10.116.217.3
I am able to PING the Gateway(PIX) of PC1 from PC1 and the Gateway(PIX) of PC2 from PC2. But I am not able to reach/ping PC2 from PC1 and vice-versa.
04-27-2009 12:48 AM
i was wrong...it indeed was working...i was attempting to ping the gateway IP of PC1 from PC2 and vice-versa which is NOT working though..
but my attempt to ping PC1 from PC2 and vice-vera was successful...
thanks to all experts for their suggestions!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: