Configuring Sub interfaces on ASA but Unmanageable Switch Present

Unanswered Question
Sep 22nd, 2010

Hi All,

I am kind of dilemma to design my network for Inter VLAN routing. Here is the scenario

I have 1 ASA-5510, 1 outside interfaces and 2 inside interfaces. both Inside interfaces were working perfect for internet. Now we have requirement to configure those 1 interfaces in such a manner so that they both inside interfaces can communicate to each other.

Also We have need for 3 more IP network need to define for our network.

What I did , I disturbed 1 inside  interface and created sub interfaces with static IP on it. Now I am not able to get internet connectivity if I am changing Host IP to specific range.

We Don't have manageable switch

Please help.

I am looking for 2 things

1.> Will I be able to get all the subinterfaces communicating to each other with Internet connectivity?

2.> If not Can I create communication between 2 inside interfaces without creating sub interfaces.?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 09/23/2010 - 04:20

The answer to both your questions is YES.

Looking at your current configuration, you are missing the following command for connectivity between all the internal networks:

same-security-traffic permit inter-interface

For connectivity to the internet from all the internal networks, you are missing the following commands:

nat (inside-VL15) 1

nat (inside-VL17) 1

nat (inside-VL18) 1

nat (inside-VL19) 1

Hope that helps.

pushpendrayadav Thu, 09/23/2010 - 11:58


I tried the config but I am not able to get the connection up.

for now we changed the scenario and using 1 oueside interface and 3 inside interfaces.

all these 3 interfaces are communicating to outside interface.

Please let me know how should I configure these 3 interfaces to communication to each other.

Diego Armando C... Thu, 09/23/2010 - 13:55

Could you post your current Show version.

To comunicate the interfaces to each other all the interfaces will need the SAME security level lets say 100 and the command same-security-traffic permit inter-interface. 

Jitendriya Athavale Thu, 09/23/2010 - 20:58

apart from same security commands you need to do u turning on the router

firstly i assume your requirement is such that you do not want to nat the host shwne they need to talk internally

so we need to exempt nat for the traffic betwen one side interface to other so just add these networks in the nat exemtion access-list you already have

you can add this traffic in this acl access-list inside_nat0_outbound

for example for between vl17 to vl

access-list inside_nat0_outbound extended permit ip

do the same for the rest of the traffic

once you do that you will be able to ping and pass udp traffic but you might have prob with tcp if so then do tcp state by passs by following the below link


This Discussion

Related Content