04-09-2010 02:48 PM - edited 03-11-2019 10:31 AM
Hey guys,
Excuse me if it's silly questions. I want my ASA 5510 to do inter-vlan routing (without NAT) on interfaces with different security level. I think it's not possible but I still want to confirm it here...
If I assign the VLAN subinterfaces with same security level and with "same-security-traffic permit inter-interface" configured, the traffic will pass freely between VLANs. The ACL won't even be able to block the traffic and no inspection will be done at all on these traffic. Am I right??
So if I want to control the traffic between VLANs (like inspect for Virus or Spam or intrusion), I have to assign them different security level and configure NAT/PAT... Am I right???
Welcome any suggestions! Thanks!
Difan
Solved! Go to Solution.
04-09-2010 03:05 PM
You definitely can do inter vlan routing on ASA without NAT between interfaces of different security levels.
Example:
Inside - security level 100 - 192.168.1.0/24
DMZ - security levelv 50 - 192.168.5.0/24
To communicate between Inside to DMZ and vice versa without NAT, you need to configure the following to start with (the static NAT is bidirectional, so you only need to configure 1 line below):
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Then traffic initiated from inside towards dmz, because inside has higher security level, it can pass traffic without ACL if you don't already have ACL.
Traffic initiated from dmz towards inside, because dmz has lower security level than inside, you would need to configure ACL to permit traffic from dmz towards inside, and apply the inbound access-list on dmz interface.
Hope that helps.
04-09-2010 03:05 PM
You definitely can do inter vlan routing on ASA without NAT between interfaces of different security levels.
Example:
Inside - security level 100 - 192.168.1.0/24
DMZ - security levelv 50 - 192.168.5.0/24
To communicate between Inside to DMZ and vice versa without NAT, you need to configure the following to start with (the static NAT is bidirectional, so you only need to configure 1 line below):
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Then traffic initiated from inside towards dmz, because inside has higher security level, it can pass traffic without ACL if you don't already have ACL.
Traffic initiated from dmz towards inside, because dmz has lower security level than inside, you would need to configure ACL to permit traffic from dmz towards inside, and apply the inbound access-list on dmz interface.
Hope that helps.
04-12-2010 10:51 AM
... That's smart... It's kind of to fool the ASA to do the "routing"... So technically the NAT still exist but it just NAT real IP to real IP... I like it! Thanks a lot!
Difan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: