Allowing Traffic between vlan asa 5505

Answered Question
Sep 16th, 2009

I have an asa 5505 with the security plus license. I have three subnets, 10.1.10.0(inside lan), 10.2.10.0(server lan), and 10.3.10.0(dmz). I need to be able to allow traffic between the server lan and the inside lan. I cannot even ping between the vlans (1 for each subnet). How can I accomplish this with the asa?

I have this problem too.
0 votes
Correct Answer by acomiskey about 6 years 12 months ago

This will get you going.

static (inside,mz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Wed, 09/16/2009 - 09:49

It depends on your security levels. If you post your config, we can walk you through what you need to do.

communitytech.net Wed, 12/02/2009 - 11:53

interface Vlan1

description lan

nameif inside

security-level 100

ip address 10.1.10.2 255.255.255.0

!

interface Vlan2

description internet

nameif outside

security-level 0

ip address ******** 255.255.255.240

!

interface Vlan3

description demilitarized zone

nameif dmz

security-level 50

ip address 10.3.10.2 255.255.255.0

!

interface Vlan4

description servers

nameif mz

security-level 75

ip address 10.2.10.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 216.201.128.10

name-server 66.196.212.10

name-server 66.196.216.10

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq ssh

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq www

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq https

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq pop3

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 123

access-list inside_outbound extended permit udp 10.1.10.0 255.255.255.0 any eq ntp

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq imap4

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 993

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 1443

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq pptp

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq aol

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 5150

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 1863

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 3306

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 3307

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 3308

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 3309

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 3389

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 8001

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 8002

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 8003

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 8010

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 8011

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 13306

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq ftp

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq smtp

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 3000

access-list inside_outbound extended permit udp 10.1.10.0 255.255.255.0 any eq 22081

access-list inside_outbound extended permit udp 10.1.10.0 255.255.255.0 any eq netbios-ns

access-list inside_outbound extended permit udp 10.1.10.0 255.255.255.0 any eq netbios-dgm

access-list inside_outbound extended permit udp 10.1.10.0 255.255.255.0 any eq 139

access-list inside_outbound extended permit tcp 10.1.10.0 255.255.255.0 any eq 3609

access-list inside_outbound extended permit icmp any any

access-list inside_outbound extended permit udp any any eq domain

access-list inside_outbound extended permit tcp any any eq domain

access-list mz__inbound extended permit icmp any any

access-list mz__inbound extended permit tcp any any eq ssh

access-list mz__inbound extended permit tcp any any eq www

access-list mz__inbound extended permit tcp any any eq https

access-list mz__inbound extended permit tcp any any eq 3306

access-list mz__inbound extended permit tcp any any eq 3307

access-list mz__inbound extended permit tcp any any eq 3308

access-list mz__inbound extended permit tcp any any eq 3309

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq ssh

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq ldap

access-list mz__outbound extended permit udp 10.2.10.0 255.255.255.0 any eq netbios-ns

access-list mz__outbound extended permit udp 10.2.10.0 255.255.255.0 any eq netbios-dgm

access-list mz__outbound extended permit udp 10.2.10.0 255.255.255.0 any eq 139

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 137

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq netbios-ssn

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 445

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq ftp

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq smtp

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq www

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq https

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 3306

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 3307

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 3308

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 3309

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 123

access-list mz__outbound extended permit udp 10.2.10.0 255.255.255.0 any eq ntp

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 1423

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 1433

access-list mz__outbound extended permit tcp 10.2.10.0 255.255.255.0 any eq 13306

access-list mz__outbound extended permit udp any any eq domain

access-list mz__outbound extended permit tcp any any eq domain

access-list dmz_outbound extended permit tcp 10.3.10.0 255.255.255.0 any eq ssh

access-list dmz_outbound extended permit tcp 10.3.10.0 255.255.255.0 any eq smtp

access-list dmz_outbound extended permit tcp 10.3.10.0 255.255.255.0 any eq www

access-list dmz_outbound extended permit tcp 10.3.10.0 255.255.255.0 any eq https

access-list dmz_outbound extended permit udp any any eq domain

access-list dmz_outbound extended permit tcp any any eq domain

access-list dmz_inbound extended permit tcp any any eq ssh

access-list dmz_inbound extended permit tcp any any eq https

access-list dmz_inbound extended permit tcp any any eq www

access-list dmz_inbound extended permit tcp any any eq 3306

access-list dmz_inbound extended permit tcp any any eq 3307

access-list dmz_inbound extended permit tcp any any eq 3308

access-list dmz_inbound extended permit tcp any any eq 3309

access-list dmz_inbound extended permit tcp any any eq 3609

access-list inside_inbound extended permit tcp any any eq domain

access-list inside_inbound extended permit udp any any eq domain

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu mz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_outbound out interface inside

access-group mz__inbound in interface mz

access-group mz__outbound out interface mz

route outside 0.0.0.0 0.0.0.0 ************* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.1.10.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Correct Answer
acomiskey Wed, 12/02/2009 - 12:12

This will get you going.

static (inside,mz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0

Actions

This Discussion