cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1914
Views
10
Helpful
40
Replies

Vlan to Vlan communication

john.irizarry
Level 1
Level 1

Hello all,

I have created 3 vlans on my ASA 5505,

5,10,15,and 20

They are on Interface 0/4 and trunked to a switch port which is also configured as a trunk. All works great....EXCEPT

I have a printer on VLAN 20 (192.168.20.15) that folks on VLAN 5 and 15 need to print to. I have the vlans on the same security level and configured same-security-traffic-permit.

I am missing something very elementary, I'm sure. Can someone please provide the key to this puzzle?

Thanks!

John

40 Replies 40

apdatasoft
Level 1
Level 1

Hi,

Try adding routes to all other interfaces similar to route inside. Check the gateway of the printer if still not responding

Thanks

AP

andrew.prince
Level 10
Level 10

Your issue appears to be NAT

Either created a nat0 for the vlan's or configure a static network nat.

HTH>

Thanks! created the following and now my users cannot get to the Internet

nat (Chappell) 0 access-list Chappell_access_in

nat (Burton) 0 access-list Burton_access_in

I already have the static access-list setup as follows for allowing access to the printer

static (User-Vlan,Burton) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

static (User-Vlan,Chappell) 192.168.20.15 192.168.20.15 netmask 255.255.255.255

My route is

route inside 192.168.0.0 255.255.0.0 192.168.1.1 1

I'm stuck!

John

That is because you are using the wrong acl - at the end of the acls you are saying ip any any = do not nat anything - when you use these acl's with the no-nat config.

Remove:-

nat (Chappell) 0 access-list Chappell_access_in

nat (Burton) 0 access-list Burton_access_in

Config the below:-

access-list no-vlan-nat permit ip 192.168.5.0 255.255.255.0 host 192.168.20.15

access-list no-vlan-nat permit ip 192.168.15.0 255.255.255.0 host 192.168.20.15

nat (Chappell) 0 access-list no-vlan-nat

nat (Burton) 0 access-list no-vlan-nat

HTH>

Thanks! Would that be the same for a VPN use? VPN is 192.168.30.0

access-list no-vlan-nat permit ip 192.168.30.0 255.255.255.0 host 192.168.20.15

Thanks you! I'll try this now.

No - for VPN use you have to do a couple of things.....but why would you want remote VPN clients to print to a printer they are remote from?

I asked the same thing. Apparently the broker has an office at home and wants to print contracts on this printer for his staff when he is out of the office. I could use access to the vlan for RDP though.

Then all you need to do is add the remote VPN IP subnet to the interface no-nat access-list and it will be ok.

Thank you! I'll give it a shot. NAT always messes me up. Need to study it more.

So it would look like this, right?

access-list no-vlan-nat extended permit ip 192.168.30.0 255.255.255.0 host 192.168.20.0

VPN IP is 192.168.30.x

Thanks again for all your assisstance.

Yes - and you need to make sure the 192.168.20.0 subnet is in the encryption domain list for the remote vpn user.

That did not work. I cannot access the 20 network. Do I need a NAT 0 for VPN as well? That does not sound right. I should be able to access all the vlan's when I VPN in.

OK - lets debug the config, attach the config with all sensitive info removed.

ok, Thanks! Here it is. The config works perfectly for the exception of the VPN. I can VPN in, I can surf the web, so split tunnel is configured correctly, but I cannot access any of the VLANs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: