Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Use ASA do Inter-vlan routing

Hey guys,

Excuse me if it's silly questions. I want my ASA 5510 to do inter-vlan routing (without NAT) on interfaces with different security level. I think it's not possible but I still want to confirm it here...

If I assign the VLAN subinterfaces with same security level and with "same-security-traffic permit inter-interface" configured, the traffic will pass freely between VLANs. The ACL won't even be able to block the traffic and no inspection will be done at all on these traffic. Am I right??

So if I want to control the traffic between VLANs (like inspect for Virus or Spam or intrusion), I have to assign them different security level and configure NAT/PAT... Am I right???

Welcome any suggestions! Thanks!

Difan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Use ASA do Inter-vlan routing

You definitely can do inter vlan routing on ASA without NAT between interfaces of different security levels.

Example:

Inside - security level 100 - 192.168.1.0/24

DMZ - security levelv 50 - 192.168.5.0/24

To communicate between Inside to DMZ and vice versa without NAT, you need to configure the following to start with (the static NAT is bidirectional, so you only need to configure 1 line below):

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Then traffic initiated from inside towards dmz, because inside has higher security level, it can pass traffic without ACL if you don't already have ACL.

Traffic initiated from dmz towards inside, because dmz has lower security level than inside, you would need to configure ACL to permit traffic from dmz towards inside, and apply the inbound access-list on dmz interface.

Hope that helps.

2 REPLIES
Cisco Employee

Re: Use ASA do Inter-vlan routing

You definitely can do inter vlan routing on ASA without NAT between interfaces of different security levels.

Example:

Inside - security level 100 - 192.168.1.0/24

DMZ - security levelv 50 - 192.168.5.0/24

To communicate between Inside to DMZ and vice versa without NAT, you need to configure the following to start with (the static NAT is bidirectional, so you only need to configure 1 line below):

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Then traffic initiated from inside towards dmz, because inside has higher security level, it can pass traffic without ACL if you don't already have ACL.

Traffic initiated from dmz towards inside, because dmz has lower security level than inside, you would need to configure ACL to permit traffic from dmz towards inside, and apply the inbound access-list on dmz interface.

Hope that helps.

New Member

Re: Use ASA do Inter-vlan routing

... That's smart... It's kind of to fool the ASA to do the "routing"... So technically the NAT still exist but it just NAT real IP to real IP... I like it! Thanks a lot!

Difan

621
Views
0
Helpful
2
Replies
CreatePlease to create content