Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA firewalling VLANS on a switch

I have a slightly odd request due to audits. I am being asked to put an ASA firewall between 2 VLANs and the other VLANs on my 4510R+E. I thought I could just disable routing on the 2 VLANs on the switch and forward the traffic to the ASA allowing it to act as the default router for the 2 VLANs that need to be segregated. My problem is I cannot get traffic to pass through correctly and think NAT is having issue.

Setup

VLANs                ASA                                      Switch

10.1.2.X    <>   10.1.2.1 port 2

10.1.0.X    <>   10.1.0.1 port 1

                           10.1.100.30 port 3     <>       10.1.100.20

 

The ASA can ping the switch and the devices on the 2 VLANs on port 1 and port 2 but traffics will not pass correctly.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

That should work as expected.

That should work as expected. First make sure that you disable NAT for that traffic as it's probably not needed. If your two interfaces have the same security-level, then you need the command "same-security-traffic permit inter-interface".


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
3 REPLIES
VIP Purple

That should work as expected.

That should work as expected. First make sure that you disable NAT for that traffic as it's probably not needed. If your two interfaces have the same security-level, then you need the command "same-security-traffic permit inter-interface".


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Setting the "permit traffic

Setting the "permit traffic for same security level" did it. The one thing I overlooked. Thanks!

Hall of Fame Super Silver

If you can share the firewall

If you can share the firewall configuration, we can help better.

At a mimumum, please run packet-tracer and let us know the outcome.

That ASA cli tool (also available in the ASDM GUI) lets you trace a hypothetical flow through the ASA an identify the outcome. For example:

packet-tracer input [nameif assigned to port 2] tcp source 10.1.2.20 1025 10.1.200.20 80

In the example I used hypothetical host at 10.1.2.20 using source port 1025 trying to talk to the switch on port 80. The addresses and ports can be adjusted to suit your environment - just make sure not to use the ASA itself as the source address as that will give invalid results. 

41
Views
0
Helpful
3
Replies
CreatePlease to create content