topic If they are same security in Network Security

ASA 5525 Inter Vlan

mmarouan — Tue, 12 Mar 2019 08:48:15 GMT

Hello everyone, I am new to SA I want to set up an ASA 5525 on a local network in there are VLANs (Vlan print vlan server vlan client vlan wifi Vlan DMZ )
I want how I can configure it and communicate the print and server vlan and client to each other
And for the DMZ it must be consulted in public and internally by vlan server and client

thank you in advance

We would need to know more

Marius Gunnerud — Sat, 21 Jan 2017 14:43:27 GMT

We would need to know more about your network setup to provide a suggestion for configuration. For example, if each VLAN is connecting to its own ASA interface or will there just be one interface or a portchannel configured with subinterfaces?

If you are setting this up using a single interface or bundled etherchannel interface then you would need to configure subinterfaces on the ASA, assign the vlan to each interface using the vlan "vlan number" command and then configure the switch interface connecting to the ASA as a trunk.

Marvin has already explained how to do it if each will be connected to their own interface.

Please remember to select a correct answer and rate helpful posts

If they are same security

Marvin Rhoads — Fri, 27 Jan 2017 16:51:33 GMT

If they are same security level then you only need to add "same-security traffic inter-interface" command.

If they are different security levels then by default higher security can talk to lower security unless you have an ACL on the input of the higher security interface - then you would need to explicitly allow the traffic in the ACL.

Similarly, lower security needing to talk to higher security needs an explicit ACL applied on the lower security interface (input direction).

See this thread for some earlier discussion on this topic:

https://supportforums.cisco.com/discussion/13008881/asa-same-security-traffic-permit-inter-interface-vs-access-list-permitdeny

Hellon,

mmarouan — Fri, 27 Jan 2017 16:51:34 GMT

Hellon,

My architecture its :

for the internal vlan (they have the same physical interface " subinterfaces"):
Vlan 2server (172.16.1.0/24)
Vlan 3 desktop (172.16.2.0/24)
Vlan 4 printer (172.16.3.0/24)

and
Vlan 5 DMZ (172.16.4.0/24)
For the vlan DMZ it has a unique physical interface. I have an application web server in the zone DMZ which must communicate with a server in the vlan 2 for the replication MSSQL

If they are different

Farhan Mohamed — Fri, 27 Jan 2017 17:35:26 GMT

Similarly, lower security needing to talk to higher security needs an explicit ACL applied on the lower security interface (input direction).

See this thread for some earlier discussion on this topic:

https://supportforums.cisco.com/discussion/13008881/asa-same-security-tr...

vlan 2 , 3, 4 are same

MANI .P — Sun, 29 Jan 2017 02:50:35 GMT

vlan 2 , 3, 4 are same security level?

hello yes

mmarouan — Tue, 04 Apr 2017 08:45:36 GMT

hello

yes