Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 Intervlan Communication

Unanswered Question
Jul 14th, 2009
User Badges:


I have ASA5505.& I want interVLAN communication between 5 vlans. I have Security base IOS which is supported up to 20 VLANs.I created 5 different Vlans & assign different security levels, 1st is 100 2nd 90 up to 80 and 0 for outside interface. now I want lower security level LAN can communicate to higher security level. kindly advise me




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
branfarm1 Tue, 07/14/2009 - 03:55
User Badges:
  • Bronze, 100 points or more

Before the ASA will allow traffic to pass from lower security to higher security interfaces, you will need to configure ACL's on the interfaces specifying what traffic is to be permitted. Depending on your configuration, you will most likely also need to configure NAT rules between the subnets.

Hope that helps!

v.nandurdikar Tue, 07/14/2009 - 04:43
User Badges:


I send you the configuration which I did on ASA,but still I am not getting intervlan communication properly.kindly check out & suggest me correct one



robertson.michael Tue, 07/14/2009 - 05:58
User Badges:
  • Silver, 250 points or more

Hi Vaibhav,

As Nyle alluded to, there are typically 3 things you need to consider when configuring the firewall to allow traffic between 2 interfaces:

1. Permission (i.e. access-list and access-group)

2. Translation (i.e. static or nat/global)

3. Routing (i.e. route)

Based on the configuration you posted, you need to add appropriate translations for your interfaces.

For example, assuming you do not want to NAT addresses between Engineering and Developer:

access-list Engineering_nat0 permit ip

access-list Developer_nat0 permit ip

nat (Engineering) 0 access-list Engineering_nat0

nat (Developer) 0 access-list Developer_nat0

The above config would allow communication between the Engineering and Developer interfaces. You would have to update the above access-lists to include addresses for your other interfaces as well.

Here is the configuration guide for address translation:


Hope that helps.


v.nandurdikar Mon, 07/20/2009 - 01:03
User Badges:

Hi Mike,

Its working fine.now the problem with my VPN. I can establish the tunnel through network but can not establish tunnel through network.I check access rules,VPN configuration.I felt everything is OK with configuration.please find the 'sh run' & sh Debug output for reference


This Discussion