Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
0
Helpful
2
Replies

Use ASA do Inter-vlan routing

Go to solution
Difan Zhao
Level 5
Level 5

‎04-09-2010 02:48 PM - edited ‎03-11-2019 10:31 AM

Hey guys,

Excuse me if it's silly questions. I want my ASA 5510 to do inter-vlan routing (without NAT) on interfaces with different security level. I think it's not possible but I still want to confirm it here...

If I assign the VLAN subinterfaces with same security level and with "same-security-traffic permit inter-interface" configured, the traffic will pass freely between VLANs. The ACL won't even be able to block the traffic and no inspection will be done at all on these traffic. Am I right??

So if I want to control the traffic between VLANs (like inspect for Virus or Spam or intrusion), I have to assign them different security level and configure NAT/PAT... Am I right???

Welcome any suggestions! Thanks!

Difan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-09-2010 03:05 PM

You definitely can do inter vlan routing on ASA without NAT between interfaces of different security levels.

Example:

Inside - security level 100 - 192.168.1.0/24

DMZ - security levelv 50 - 192.168.5.0/24

To communicate between Inside to DMZ and vice versa without NAT, you need to configure the following to start with (the static NAT is bidirectional, so you only need to configure 1 line below):

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Then traffic initiated from inside towards dmz, because inside has higher security level, it can pass traffic without ACL if you don't already have ACL.

Traffic initiated from dmz towards inside, because dmz has lower security level than inside, you would need to configure ACL to permit traffic from dmz towards inside, and apply the inbound access-list on dmz interface.

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-09-2010 03:05 PM

You definitely can do inter vlan routing on ASA without NAT between interfaces of different security levels.

Example:

Inside - security level 100 - 192.168.1.0/24

DMZ - security levelv 50 - 192.168.5.0/24

To communicate between Inside to DMZ and vice versa without NAT, you need to configure the following to start with (the static NAT is bidirectional, so you only need to configure 1 line below):

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Then traffic initiated from inside towards dmz, because inside has higher security level, it can pass traffic without ACL if you don't already have ACL.

Traffic initiated from dmz towards inside, because dmz has lower security level than inside, you would need to configure ACL to permit traffic from dmz towards inside, and apply the inbound access-list on dmz interface.

Hope that helps.

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to Jennifer Halim

‎04-12-2010 10:51 AM

... That's smart... It's kind of to fool the ASA to do the "routing"... So technically the NAT still exist but it just NAT real IP to real IP... I like it! Thanks a lot!

Difan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card