cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2344
Views
0
Helpful
18
Replies

vlan problem in asa 5510

halooos111
Level 1
Level 1

Hallo Community,

iam new in asa world so i need your help very much!!

i have to config a new vlan(its name vlan220, ip: x.x.220.0/24), vlan220 must have internet and should communicate with another vlan(its name vlan200, ip: x.x.200/24).

in ASDM device setup > interfaces i confg the vlan220 so i have now the following:

Ethernet0/1.200 security level 50 and

Ethernet0/1.220 security level 50

but i dont know how to go on so that the 2 vlans can communicat and vlan220 to get internet!!!

can somebody help me?

is there maybe a step by step guide?

Thank you very much

Best regards Tony

18 Replies 18

Maykol Rojas
Cisco Employee
Cisco Employee

Hi Tony,

Well first thing is that you will need to check a box on the Acess rules section that says "Allow traffic to flow between same security interfaces" or something like that. Then Two static rules and two dynamic rules. I can easily drop the commands here, but it seems like you want to have it via ASDM.

What version are you using on the ASA firewall? (ASA code). Depending on that, the syntax on the commands changes, and it looks different on ASDM too.

Mike

Mike

Hi Tony,

Its very difficult to tell you how to do it from the ASDM, but if you ask me the equivalent CLUI commands, those would be:

nat (vlan220) 5 0.0.0.0 0.0.0.0

global (outside) 5 interface

outside should be the name of your internet facing interface.

for inter-vlan access:

same-security-traffic permit inter-interface

static (vlan220,vlan200) xx.xx.xx.220 xx.xx.xx.220

static (vlan200.vlan220) xx.xx.xx.200 xx.xx.xx.200

If you still wanna go for the ASDM, you cna refer this guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/nat_82.html

Moreover you can google and find some youtube videos as well, that woudl certainly help.

Thanks,

Varun

Thanks,
Varun Rao

i have asa version 8.2(1), ASDM Version 3.2(1)

it must be ASDM 6.2.1, here's the guide for it:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html

Thanks,

Varun

Thanks,
Varun Rao

Hi Tony,

Basically what you can do (and this is something that I do particulary) is to paste configuration on the command line and then take a look at it on the ASDM, then  you can guide yourself doing the rest, for example. To communicate with the two DMZs you need to check the box on the Firewall Rules section.

Then you will need to configure the nat, so, lets say for example that one of your DMZs (DMZ1 sec level 50)  is 10.10.10.0/24 and the other is (DMZ2 sec level 50) 20.20.20.0/24

You dont really need to translate this networks to any other IP, so basically you can configure a NAT statement that will translate  those IPs to the same ones. You can drop this lines on the CLI build in on the ASDM (Make sure you select Multiple lines)

These will be the lines that you need

static (DMZ1,DMZ2) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Click on send, then go to the NAT rules section and see the line there, click on edit and check how it was configured by the ASDM, now the only thing you need to do is to create another one but from DMZ2 going to DMZ1 and with the network 20.20.20.0.

For the Internet access it will be the following on the CLI of the ASDM (Again multiple Lines and assuming you have an interface connected to the outside with 1 public IP to access the internet, the name is outside and it has security level of 50 or less)

nat (DMZ1) 1 0 0

global (outside) 1 interface

That will translate the internal DMZ1 subnet to the outside IP address of the firewall doing a PAT. Now you can go back to the NAT rules and check how that was created.

Let me know if you have any doubts.

Mike

Mike

i can also try with CLUI copmmands!!

Nice Tony,

Give it a try and if you have issues let me know.

Mike.

Mike

hey Mike thank u for helping , i did what u told me, i have in the NAT rules:

on DMZ1 side:

type: static  source: DMZ1 interface: DMZ2  Adress DMZ1

on the DMZ2 side:

type: static  source: DMZ2 interface: DMZ1  Adress DMZ2

type: Dynamic  source: any interface: outside  Adress outside

but i dont have internet on DMZ2, and the 2 DMZ donot communicate

what shall i also do

Tony

Hi Tony,

What tests did you do and which failed?

Post following outputs:

-sh route

-sh run nat

-sh run global

-sh run static

-sh run | i same-security

Regards.

Alain

Don't forget to rate helpful posts.

-sh route:

C    x.x.x.0 255.255.255.0 is directly connected, DMZ2

C    y.y.y.0 255.255.255.0 is directly connected, DMZ1

S    192.168.253.1 255.255.255.255 [1/0] via 217.5.98.6, outside

S*   0.0.0.0 0.0.0.0 [1/0] via 217.5.98.6, outside

 

-sh run nat

nat (DMZ1) 0 access-list DMZ1_nat0_outbound

nat (DMZ1) 1 y.y.y.0 255.255.255.0

nat (DMZ2) 1 x.x.x.0 255.255.255.0

-sh run global

global (outside) 1 interface

-sh run static

static (DMZ1,outside) tcp interface www access-list DMZ1_nat_static

static (DMZ1, DMZ2) y.y.y.0 y.y.y.0 netmask 255.255.255.0

static (DMZ2, DMZ1) x.x.x.0 x.x.x.0 netmask 255.255.255.0

-sh run | i same-security

same-security-traffic permit intra-interface

and when i make packet tracer from DMZ2 to DMZ1 port 80 on interface DMZ2

i get the packet is dropped (see attachment)

Tony

HI Tony,

You have the wrong command added, you need to add this:

same-security-traffic permit inter-interface

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

cooooool,

i can access DMZ1 fom DMZ2,

but on DMZ2 i still have no internet

Tony

Hi,

What do you mean by no internet on DMZ2 ? you're trying to get to internet from DMZ2? Isn't it the contrary you want that is port forward some services on DMZ2 for hosts on the internet?

Anyway NAT config for DMZ2 to internet is ok as well as the routing so you must investigate ACLs:

Can you post: sh access-list and sh run access-group

Alain.

Don't forget to rate helpful posts.

i want also that clients in dmz2 to have internet

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: