https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969707#M439268 <P>Hey there!</P><P></P><P>I have a working environment but wondering if there is just a better way to accomplish what I am trying to do (without a layer 3 or 4 switch). Basically I have a few sub interfaces on my Cisco ASA5510.</P><P></P><P>Now what I do need is some of the VLANs to communicate with specific devices on the different VLANs. So for example I need computer 1 from VLAN 5 to communicate with 192.168.10.5 from VLAN 10 on ports 80 and 443. Is there a good way to accomplish this?</P><P></P><P>What I am currently doing is settings the security level to 100 on each interface (including the DMZ). </P><P></P><P>Here is what I have:</P><P></P><P><STRONG>interface Ethernet0/1.5</STRONG></P><P style="padding-left: 30px;"><STRONG>vlan 5</STRONG></P><P style="padding-left: 30px;"><STRONG>nameif Sub5</STRONG></P><P style="padding-left: 30px;"><STRONG>security-level 100</STRONG></P><P style="padding-left: 30px;"><STRONG>ip address 192.168.4.254 255.255.255.0</STRONG></P><P></P><P><STRONG>interface Ethernet0/1.95</STRONG></P><P style="padding-left: 30px;"><STRONG>vlan 95</STRONG></P><P style="padding-left: 30px;"><STRONG>nameif Sub95</STRONG></P><P style="padding-left: 30px;"><STRONG>security-level 100</STRONG></P><P style="padding-left: 30px;"><STRONG>ip address 192.168.1.203 255.255.255.0</STRONG></P><P></P><P><STRONG>same-security-traffic permit inter-interface</STRONG></P><P></P><P><STRONG>static (Sub95,Sub5) 192.168.1.0 access-list Sub95_nat_static_1</STRONG></P><P><STRONG>static (Sub5,Sub95) 192.168.4.0 192.168.4.0 netmask 255.255.255.0</STRONG></P><P></P><P><STRONG>access-list Sub95_nat_static_1 extended permit ip 192.168.1.0 255.255.255.0 host 192.168.4.15</STRONG></P><P></P><P></P><P>Now I am doing this all with ASDM 6.4. My ASA image is 805-K8.</P><P></P><P>Is there an easier way to accomplish this than what I am doing? It just seems like a ton of NATs and whatknot? I am really using ASDM the most and not shell. I am also wondering how to allow more of a one way communication? Like sub interface 95 be able to communicate on certain ports and ip addresses to sub interface 5, but sub interface 5 not be able to communicate with 95</P> Mon, 11 Mar 2019 23:41:11 GMT jacobdixon 2019-03-11T23:41:11Z https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969707#M439268 <P>Hey there!</P><P></P><P>I have a working environment but wondering if there is just a better way to accomplish what I am trying to do (without a layer 3 or 4 switch). Basically I have a few sub interfaces on my Cisco ASA5510.</P><P></P><P>Now what I do need is some of the VLANs to communicate with specific devices on the different VLANs. So for example I need computer 1 from VLAN 5 to communicate with 192.168.10.5 from VLAN 10 on ports 80 and 443. Is there a good way to accomplish this?</P><P></P><P>What I am currently doing is settings the security level to 100 on each interface (including the DMZ). </P><P></P><P>Here is what I have:</P><P></P><P><STRONG>interface Ethernet0/1.5</STRONG></P><P style="padding-left: 30px;"><STRONG>vlan 5</STRONG></P><P style="padding-left: 30px;"><STRONG>nameif Sub5</STRONG></P><P style="padding-left: 30px;"><STRONG>security-level 100</STRONG></P><P style="padding-left: 30px;"><STRONG>ip address 192.168.4.254 255.255.255.0</STRONG></P><P></P><P><STRONG>interface Ethernet0/1.95</STRONG></P><P style="padding-left: 30px;"><STRONG>vlan 95</STRONG></P><P style="padding-left: 30px;"><STRONG>nameif Sub95</STRONG></P><P style="padding-left: 30px;"><STRONG>security-level 100</STRONG></P><P style="padding-left: 30px;"><STRONG>ip address 192.168.1.203 255.255.255.0</STRONG></P><P></P><P><STRONG>same-security-traffic permit inter-interface</STRONG></P><P></P><P><STRONG>static (Sub95,Sub5) 192.168.1.0 access-list Sub95_nat_static_1</STRONG></P><P><STRONG>static (Sub5,Sub95) 192.168.4.0 192.168.4.0 netmask 255.255.255.0</STRONG></P><P></P><P><STRONG>access-list Sub95_nat_static_1 extended permit ip 192.168.1.0 255.255.255.0 host 192.168.4.15</STRONG></P><P></P><P></P><P>Now I am doing this all with ASDM 6.4. My ASA image is 805-K8.</P><P></P><P>Is there an easier way to accomplish this than what I am doing? It just seems like a ton of NATs and whatknot? I am really using ASDM the most and not shell. I am also wondering how to allow more of a one way communication? Like sub interface 95 be able to communicate on certain ports and ip addresses to sub interface 5, but sub interface 5 not be able to communicate with 95</P> Mon, 11 Mar 2019 23:41:11 GMT https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969707#M439268 jacobdixon 2019-03-11T23:41:11Z https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969708#M439271 <HTML><HEAD></HEAD><BODY><P>Instead of using static translations you can use NAT-exemption where you tell your ASA that traffic, that you specified in an nat0-ACL (for example Net5 to Net95) should not be translated. Then you apply an ACL to every interface and only allow the traffic you want.</P><P></P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sat, 11 Aug 2012 23:06:32 GMT https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969708#M439271 Karsten Iwen 2012-08-11T23:06:32Z https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969709#M439277 <HTML><HEAD></HEAD><BODY><P>Sorry for the novice questions but I'm just not very familiar with Cisco.</P><P></P><P>So do you mean something like:</P><P>access-list Sub5_nat0_outbound line 1 extended permit ip any 192.168.1.0 255.255.255.0 </P><P>nat (Sub5) 0 access-list Sub5_nat0_outbound&nbsp; tcp 0 0 udp 0 </P><P></P><P>access-list Sub95_nat0_outbound line 18 extended permit ip any 192.168.4.0 255.255.255.0 </P><P></P><P>What else would I need to do?</P></BODY></HTML> Sat, 11 Aug 2012 23:29:41 GMT https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969709#M439277 jacobdixon 2012-08-11T23:29:41Z https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969710#M439281 <HTML><HEAD></HEAD><BODY><P>I am getting that NAT exempt to work and I can pass traffic but I am having issues limiting what traffic is allowed or not allowed with the ACL</P></BODY></HTML> Sat, 11 Aug 2012 23:47:54 GMT https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969710#M439281 jacobdixon 2012-08-11T23:47:54Z https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969711#M439282 <HTML><HEAD></HEAD><BODY><P>Sorry for the post. I think I have it figured out.</P><P></P><P>So after doing the NAT Exempt and if the security levels are the same they can communicate 100% on every port and every host.</P><P></P><P>So I put in access list so Sub95 can talk to Sub5.</P><P></P><P>Basically I had to put ACL on Sub95 interface so it could talk to Sub5 (192.168.4.15) on port 25, then put a deny rule in after that going to that subnet, then put a permit rule in for any any so it can get out to the internet.</P><P></P><P>access-list Sub95_access_in extended permit tcp any host 192.168.4.15 eq smtp</P><P>access-list Sub95_access_in extended deny ip any object-group Inside_Networks</P><P>access-list Sub95_access_in extended permit ip any any</P></BODY></HTML> Sun, 12 Aug 2012 00:36:37 GMT https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969711#M439282 jacobdixon 2012-08-12T00:36:37Z https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969712#M439283 <HTML><HEAD></HEAD><BODY><P>Yes, one ACL for NAT where you only specify the IP-traffic from Network to network. And every interface gets his own access-ACL with the specific allowed communication.</P><P></P><P>I typically write that ACL different:</P><P></P><P>access-list DMZ1-ACCESS-IN permit ... first line with permit to inside</P><P>access-list DMZ1-ACCESS-IN permit ... second line with permit to inside</P><P>access-list DMZ1-ACCESS-IN deny ip any object-group RFC1918</P><P>access-list DMZ1-ACCESS-IN permit ... here comes the permitted access to the internet</P><P></P><P>As all my actual and future inside networks are all in the RFC1918-range, I don't have to touch that deny-line when I add an additional IP-subnet to one of the inside-interfaces.</P><P></P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 12 Aug 2012 05:29:21 GMT https://community.cisco.com/t5/network-security/vlan-communication-on-asa5510/m-p/1969712#M439283 Karsten Iwen 2012-08-12T05:29:21Z