×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 Intervlan Communication

Unanswered Question
Jul 14th, 2009
User Badges:

Hi,

I have ASA5505.& I want interVLAN communication between 5 vlans. I have Security base IOS which is supported up to 20 VLANs.I created 5 different Vlans & assign different security levels, 1st is 100 2nd 90 up to 80 and 0 for outside interface. now I want lower security level LAN can communicate to higher security level. kindly advise me


thanks

vaibhav

9960339527

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
branfarm1 Tue, 07/14/2009 - 03:55
User Badges:
  • Bronze, 100 points or more

Before the ASA will allow traffic to pass from lower security to higher security interfaces, you will need to configure ACL's on the interfaces specifying what traffic is to be permitted. Depending on your configuration, you will most likely also need to configure NAT rules between the subnets.


Hope that helps!

v.nandurdikar Tue, 07/14/2009 - 04:43
User Badges:

Hi

I send you the configuration which I did on ASA,but still I am not getting intervlan communication properly.kindly check out & suggest me correct one


thanks

Vaibhav



Attachment: 
robertson.michael Tue, 07/14/2009 - 05:58
User Badges:
  • Silver, 250 points or more

Hi Vaibhav,


As Nyle alluded to, there are typically 3 things you need to consider when configuring the firewall to allow traffic between 2 interfaces:


1. Permission (i.e. access-list and access-group)

2. Translation (i.e. static or nat/global)

3. Routing (i.e. route)


Based on the configuration you posted, you need to add appropriate translations for your interfaces.


For example, assuming you do not want to NAT addresses between Engineering and Developer:


access-list Engineering_nat0 permit ip 192.168.50.0 255.255.255.0 192.168.42.1 255.255.255.0

access-list Developer_nat0 permit ip 192.168.42.1 255.255.255.0 192.168.50.0 255.255.255.0

nat (Engineering) 0 access-list Engineering_nat0

nat (Developer) 0 access-list Developer_nat0


The above config would allow communication between the Engineering and Developer interfaces. You would have to update the above access-lists to include addresses for your other interfaces as well.


Here is the configuration guide for address translation:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html


Hope that helps.


-Mike

v.nandurdikar Mon, 07/20/2009 - 01:03
User Badges:

Hi Mike,


Its working fine.now the problem with my VPN. I can establish the tunnel through 192.168.2.0 network but can not establish tunnel through 192.168.50.0 network.I check access rules,VPN configuration.I felt everything is OK with configuration.please find the 'sh run' & sh Debug output for reference



Actions

This Discussion