https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125260#M395605 <P>I have a very basic ASA that is using the default VLAN1 for internal private subnet and VLAN2 for public subnet.&nbsp; I want to add a third subnet VLAN3 that will be private, security level 100 and NATed out the ASA.&nbsp; I also want to be able to communicate freely between VLAN1 and VLAN3.&nbsp; So question is:</P><P></P><P>Should I use a third physical port configured as access port for VLAN3?</P><P></P><P>Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?</P><P></P><P>In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?</P><P></P><P>Thanks,</P><P>Diego</P> Tue, 12 Mar 2019 00:23:03 GMT tato386 2019-03-12T00:23:03Z https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125260#M395605 <P>I have a very basic ASA that is using the default VLAN1 for internal private subnet and VLAN2 for public subnet.&nbsp; I want to add a third subnet VLAN3 that will be private, security level 100 and NATed out the ASA.&nbsp; I also want to be able to communicate freely between VLAN1 and VLAN3.&nbsp; So question is:</P><P></P><P>Should I use a third physical port configured as access port for VLAN3?</P><P></P><P>Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?</P><P></P><P>In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?</P><P></P><P>Thanks,</P><P>Diego</P> Tue, 12 Mar 2019 00:23:03 GMT https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125260#M395605 tato386 2019-03-12T00:23:03Z https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125261#M395606 <HTML><HEAD></HEAD><BODY><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Should I use a third physical port configured as access port for VLAN3?</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; That depends on what you want for your network design,&nbsp; </P><P></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">&nbsp;&nbsp;&nbsp;&nbsp; Yes, but if you have nat-control on then you will need create some NAT rules to allow traffic back and forward.</P><P></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Regards</P></BODY></HTML> Tue, 13 Nov 2012 21:08:38 GMT https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125261#M395606 Julio Carvajal 2012-11-13T21:08:38Z https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125262#M395608 <HTML><HEAD></HEAD><BODY><P>I simply want the two private nets to talk to each other thru the ASA without NAT or rules and for both of the private nets to be NATed to the public.&nbsp; Don't know of any easier way to state that.&nbsp; I guess I want the ASA to be a router?&nbsp; </P><P></P><P> The ASA is running 6.3 and I believe the nat-control doesn't come into play until 7.x, no?</P><P></P><P>Rgds,</P></BODY></HTML> Tue, 13 Nov 2012 21:17:27 GMT https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125262#M395608 tato386 2012-11-13T21:17:27Z https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125263#M395610 <HTML><HEAD></HEAD><BODY><P>Hello Diego,</P><P></P><P>What is the ASA version, You just told us 6.3 but that is for ASDM.</P><P></P><P>Okey if that is the case you could use Identity NAT and just the same-security and that will do it</P><P></P><P><SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P></BODY></HTML> Tue, 13 Nov 2012 21:42:16 GMT https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125263#M395610 Julio Carvajal 2012-11-13T21:42:16Z https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125264#M395612 <HTML><HEAD></HEAD><BODY><P> Sorry, ASA version is 8.2.&nbsp; What is identify NAT.&nbsp; I have heard the term but not familar with it.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 13 Nov 2012 22:36:17 GMT https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125264#M395612 tato386 2012-11-13T22:36:17Z https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125265#M395614 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Is just nat X to X.</P><P></P><P>So its like translate something to itself</P></BODY></HTML> Tue, 13 Nov 2012 22:52:09 GMT https://community.cisco.com/t5/network-security/adding-a-vlan-to-asa/m-p/2125265#M395614 Julio Carvajal 2012-11-13T22:52:09Z