Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
3
Replies

ASA vLAN implementation

paulrmono
Level 1
Level 1

‎09-21-2006 10:26 AM - edited ‎02-21-2020 01:11 AM

I'm evaluating the ASA 5520 specifically for vLAN implementation. I create several vLAN logical interfaces and associated IPs on a single physical interface representing different internal client groups. Now if I set the Security Level to 0 for each vLAN then traffic can cross from one vLAN to another which I don't want. Now, if I set the Security level different for each vLAN interface then vLANs with higher levels can access lower ones but not vica versa, again I don't want one vLAN to be able to access another.

To prevent this inter-vLAN communication must I create a security policy for each vLAN to stop it accessing every other vLAN ? For 100 vLANs thats a lot of security policies to create ! Or can I simply just turn of Security Levels on these logical vLAN interfaces ?

Any help/direction appreciated.

0 Helpful
3 Replies 3

todh
Level 1
Level 1

‎09-21-2006 10:56 AM

If the individual VLANs cannot access each other, is there something you do want them to access? I don't believe you can turn off security levels. You could make all the VLAN interfaces have the same security level and do not enable the "same-security-traffic permit inter-interface' command.

0 Helpful

paulrmono
Level 1
Level 1
In response to todh

‎09-22-2006 01:58 AM

I would like by default to prevent all traffic between vLANs but then control what

access one vLAN has to another, i.e., one vLAN hosts servers so client vLANs require

access to certain ports in the server vLAN.

If I set all vLANs to the same Security Level and do not enable 'same-security-traffic permit inter-interface', then I am prevented from creating security policies under ASDM (to allow traffic from one vLAN to another) with a warning informing me that "No communication is allowed between two interfaces which have the same security level".

If I enable the 'same-security-traffic permit inter-interface', then vLANs with a higher Security Level to another vLAN have full unconstrained access, unless I create Security Policies to prevent this, a lot of security policies if you're using 100 vLANs.

0 Helpful

oabduo983
Level 1
Level 1
In response to paulrmono

‎09-22-2006 02:57 AM

Hi Paul,

I believe you need the (no nat-control) command which then does not require you to have the nat & global commands to pass the traffic, and it will pass the traffic based on the access-list configured, and it will nat them to the egress interface I believe...

I hope this helps, please rate if it does!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card