Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5512x inter vlan routing

We have a 5512x that we've setup with an Ether-channel and multiple subinterfaces (vlans).  Our goal is to be able to allow one vlan to communicate to all other vlan's through the 5512 but block the inter-vlan communication for the the other vlans.  We have been attempting to accomplish this by having all vlan's on the same security level - while utilizing access-lists and tcpbypass.  So far this isn't working and I'm not sure what the issue(s) could be (perhaps numerous).

We do not have a layer 3 switch.

Please advise.

Everyone's tags (3)
Hall of Fame Super Silver

ASA 5512x inter vlan routing

I am sure that there are multiple issues and will start with the suggestion that the tool that you are using to solve this problem is not the optimum tool for this kind of problem. If you want inter vlan routing then the optimum tool is a layer 3 switch or a router.

But if the ASA/firewall is the only tool that you have then my suggestion would be to make the one vlan that should communicate with other vlans a different/higher security level. That will allow the vlan to initiate traffic to all other vlans and permit response traffic. If other vlans need to initiate traffic to the one vlan then you need to configure access policies. As long as you do not enable same-security-traffic permit inter-interface then the other vlans will not be able to communicate with each other.



New Member

ASA 5512x inter vlan routing

I attempted to do this but couldn't get traffic to flow between the two vlans.  I may have to revisit - but setting them all to the same security and applying the same-security traffic - allows the conversation and then I added access-lists denying traffic seems to be one solution - although attempting to keep the config as simple as possible is the goal.

Yep - layer 3 would be optimal.  Unfortunately that's not in the cards currently.

I'll test this again with the higher security level to see if I can get this to work.