Solved: ASA 5505 - how to allow traffic between VLANs

ph0enix · ‎07-09-2009

I have an ASA 5505 with two internal VLANs - let's say 192.168.0.0/24 & 192.168.1.0/2 and an outside interface which is the internet gateway for both of the internal subnets. I can get on the net from each internal net but I can't figure out how to make them talk to each other. They're both configured with security level 100 and I want to enable all IP traffic between them. Any idea how to make this work?

Thank you!

J.

robertson.michael · ‎07-09-2009

Hi J,

Because you have the 'nat-control' command enabled and you have dynamic PAT on your inside and inside1 interfaces, there also needs to be NAT rule for the traffic between the inside and inside1 interfaces. Assuming you don't want to NAT the traffic between these two interfaces, I would recommend trying something like this:

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

nat (inside1) 0 access-list inside1_nat0_outbound

This will setup NAT 0 and allow traffic to flow in both directions. If you want to do dynamic PAT instead, just adjust your config accordingly--the point is you need to have NAT rules that match the traffic between these interfaces because of the 'nat-control' command and your existing dynamic PAT configuration.

From the documentation:

"Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule. "

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/no_72.html#wp1653062

Hope that helps.

-Mike

View solution in original post

robertson.michael · ‎07-09-2009

J,

There are typically 3 things you need to consider when configuring the firewall to allow traffic between 2 interfaces:

1. Permission (i.e. access-list and access-group)

2. Translation (i.e. static or nat/global)

3. Routing (i.e. route)

In addition, when your interfaces have the same security level (100 in your case), you need to include the 'same security-traffic permit inter-interface' command to allow the traffic to pass.

If you post your sanitized config, we can probably point you to the command(s) that you are missing to get this to work.

Hope that helps.

-Mike

ph0enix · ‎07-09-2009

Hi Mike,

Thanks for the prompt response. I'm attaching my config.

Thank you!

J.

robertson.michael · ‎07-09-2009

Hi J,

Because you have the 'nat-control' command enabled and you have dynamic PAT on your inside and inside1 interfaces, there also needs to be NAT rule for the traffic between the inside and inside1 interfaces. Assuming you don't want to NAT the traffic between these two interfaces, I would recommend trying something like this:

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list inside1_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

nat (inside1) 0 access-list inside1_nat0_outbound

This will setup NAT 0 and allow traffic to flow in both directions. If you want to do dynamic PAT instead, just adjust your config accordingly--the point is you need to have NAT rules that match the traffic between these interfaces because of the 'nat-control' command and your existing dynamic PAT configuration.

From the documentation:

"Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule. "

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/no_72.html#wp1653062

Hope that helps.

-Mike

ph0enix · ‎07-10-2009

Worked like a charm! Thanks Mike!

J.