Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow traffic between interfaces

I have spent the last few hours reading different documents but I am still coming up empty handed.

I've got a ASA 5525, has a inside interface & sits at 10.33.1.1

I defined a logical interfaces with vlan tag 3364 -- sits at 10.33.64.1 (this will be for our wifi clients)

Both have security set to 100.

I set:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

However a client at 10.33.1.5 cannot ping 10.33.64.1 & vica versa.

I've tried access rules, NAT rules & messing with PAT settings but not sure what I'm missing.

I attached a sanitized config & removed stuff around our VPN tunnel & other authentication. Any help would be much appreciated

8 REPLIES
VIP Super Bronze

Allow traffic between interfaces

Don't add IP to the main interface. Try both vlans using sub-interfaces

try this:

interface GigabitEthernet0/2
description Inside interface
nameif inside
no sh
!

interface GigabitEthernet0/2.100

vlan 100
nameif vlan100
security-level 100
ip address 10.33.64.1 255.255.255.0


interface GigabitEthernet0/2.200
vlan 200
nameif vlan200
security-level 100
ip address 10.33.1.1 255.255.255.0

and try pinging from one to the other.

HTH

New Member

Allow traffic between interfaces

I did the following to make sure I don't accidently lock myself out...

interface GigabitEthernet0/2

description Inside interface

nameif inside

security-level 100

ip address 10.33.1.1 255.255.255.0

!

interface GigabitEthernet0/2.100

vlan 100    

nameif vlan100

security-level 100

ip address 10.33.64.1 255.255.255.0

!            

interface GigabitEthernet0/2.200

vlan 200    

nameif vlan200

security-level 100

ip address 10.33.2.1 255.255.255.0

packet-tracer input vlan100 icmp 10.33.64.1 8 5 5 10.33.2.1 xml

....

drop

(no-route) No route to host

We never had any vlans defined beforehand on this firewall -- if I'm adding them now does it require that I now specify a vlan on every interface?

New Member

Allow traffic between interfaces

It would just be helpful to still be able to use the native vlan because the switches underneath this ASA don't have switchport access vlan configured on any of their ports.

Allow traffic between interfaces

interface GigabitEthernet0/2

description Inside interface

nameif inside (not recomended for sub interfaces)

security-level 100 (not recomended for sub interfaces)

ip address 10.33.1.1 255.255.255.0   (not recomended for sub interfaces)

!

interface GigabitEthernet0/2.100

vlan 100    

nameif vlan100

security-level 100

ip address 10.33.64.1 255.255.255.0

!            

interface GigabitEthernet0/2.200

vlan 200    

nameif vlan200

security-level 100

ip address 10.33.2.1 255.255.255.0

Also check

FW GigabitEthernet0/2 connected to switch must be in trunk allowed vlan 200, 100

Jawad

Jawad
New Member

Allow traffic between interfaces

Is there anyway to make one of the sub interfaces use the native vlan? I tried setting Vlan to 1 but it didn't work.

Purple

Allow traffic between interfaces

Hi,

on the ASA the native VLAN is taken care of on the main physical interface.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Allow traffic between interfaces

Put the following command in router under the sub-interface you want to use native vlan.

#encapsulation dot1Q 1 native

On the switch, if you have a native VLAN other than VLAN1,configure the same
VLAN on the router to be the native VLAN,by using the above command.
New Member

Allow traffic between interfaces

I was able to get this working the way I needed it to

interface GigabitEthernet0/2

description Inside interface

nameif inside

security-level 100

ip address 10.33.1.1 255.255.255.0

!

interface GigabitEthernet0/2.64

vlan 64

nameif WiFi

security-level 100

ip address 10.33.64.1 255.255.255.0

!

nat (inside,any) source static obj-10.33.1.0 obj-10.33.1.0 destination static obj-10.33.64.0 obj-10.33.64.0 no-proxy-arp

Thanks for the help

356
Views
0
Helpful
8
Replies
CreatePlease to create content