ASA 5505 Intervlan Communication

Unanswered Question
Jul 14th, 2009

Hi,

I have ASA5505.& I want interVLAN communication between 5 vlans. I have Security base IOS which is supported up to 20 VLANs.I created 5 different Vlans & assign different security levels, 1st is 100 2nd 90 up to 80 and 0 for outside interface. now I want lower security level LAN can communicate to higher security level. kindly advise me

thanks

vaibhav

9960339527

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
branfarm1 Tue, 07/14/2009 - 03:55

Before the ASA will allow traffic to pass from lower security to higher security interfaces, you will need to configure ACL's on the interfaces specifying what traffic is to be permitted. Depending on your configuration, you will most likely also need to configure NAT rules between the subnets.

Hope that helps!

v.nandurdikar Tue, 07/14/2009 - 04:43

Hi

I send you the configuration which I did on ASA,but still I am not getting intervlan communication properly.kindly check out & suggest me correct one

thanks

Vaibhav

Attachment: 
robertson.michael Tue, 07/14/2009 - 05:58

Hi Vaibhav,

As Nyle alluded to, there are typically 3 things you need to consider when configuring the firewall to allow traffic between 2 interfaces:

1. Permission (i.e. access-list and access-group)

2. Translation (i.e. static or nat/global)

3. Routing (i.e. route)

Based on the configuration you posted, you need to add appropriate translations for your interfaces.

For example, assuming you do not want to NAT addresses between Engineering and Developer:

access-list Engineering_nat0 permit ip 192.168.50.0 255.255.255.0 192.168.42.1 255.255.255.0

access-list Developer_nat0 permit ip 192.168.42.1 255.255.255.0 192.168.50.0 255.255.255.0

nat (Engineering) 0 access-list Engineering_nat0

nat (Developer) 0 access-list Developer_nat0

The above config would allow communication between the Engineering and Developer interfaces. You would have to update the above access-lists to include addresses for your other interfaces as well.

Here is the configuration guide for address translation:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html

Hope that helps.

-Mike

v.nandurdikar Mon, 07/20/2009 - 01:03

Hi Mike,

Its working fine.now the problem with my VPN. I can establish the tunnel through 192.168.2.0 network but can not establish tunnel through 192.168.50.0 network.I check access rules,VPN configuration.I felt everything is OK with configuration.please find the 'sh run' & sh Debug output for reference

Actions

This Discussion