Vlans on same interface, using sub interface no comm

ibl.contracts — Mon, 11 Mar 2019 11:32:18 GMT

Good Day Everyone,

This is my first post here, and praying for a solution.

My scenario is as follows.

The setup involves

1 Catalyst 2950

1 Catalyst 3750G

1 ASA 5520

My objective is to configure to additional subnets using ASA subinterfaces as the Vlan gateways.

For this question we will use on the ASA 5520

one interface for server interaction

one interface for all user interaction.

Core Switch Catalyst 3750G

Current VLan configuration

VLAN 1 Server interface 0/0

VLAN 10 clients interface 0/1

These VLans are spread on both switches and communicate well.

So now, I created two additional vlans on the core switch,

VLAN 20 clients2

VLAN 30 clients3

Using the Catalyst 2950, I assigned two computers to vlan 20 and 30 respectively.

I configured the trunk on the 2950 interface as follows

interface FastEthernet0/20

switchport trunk native vlan 10

switchport trunk allowed vlan 20,30

switchport mode trunk

end

and its connecting interface on the 3750G configured as

interface GigabitEthernet1/0/30

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport trunk allowed vlan 20,30

switchport mode trunk

end

The switch interface to ASA is configured as follows

interface GigabitEthernet1/0/40

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport trunk allowed vlan 10,20,30

switchport mode trunk

end

So after configuring this I configured the ASA interfaces as follows:

interface GigabitEthernet0/1

nameif clients

security-level 80

ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

interface GigabitEthernet0/1.20

vlan 20

nameif clients2

security-level 80

ip address 172.16.20.1 255.255.255.0 standby 172.16.20.2

interface GigabitEthernet0/1.30

vlan 30

nameif clients3

security-level 80

ip address 172.16.30.1 255.255.255.0 standby 172.16.30.2

Then I typed the command

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

The clients setup 172.168.10.3, 20.3, 30.3 were all able to ping their respective gateways.

So now to ping the server interface, The following was added using static NAT rule with ASDM 5.2 (I'm still learning CLI for ASA, so please excuse me)

I'll do the print out on ASA. (sh nat servers/clients/...2/...3)

Servers

match ip servers 172.16.1.0 255.255.255.0 clients any static translation to 172.16.1.0

match ip servers 172.16.1.0 255.255.255.0 clients2 any static translation to 172.16.1.0

match ip servers 172.16.1.0 255.255.255.0 clients3 any static translation to 172.16.1.0

Clients

match ip clients 172.16.10.0 255.255.255.0 servers any static translation to 172.16.10.0 (this is my entry)

match ip clients 172.16.10.0 255.255.255.0 clients any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how)

match ip clients 172.16.10.0 255.255.255.0 clients2 any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how)

match ip clients 172.16.10.0 255.255.255.0 clients3 any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how)

Plus there are other rules there taht should only be there for the clients but the same is there for all the other nameif regqrding pats

Clients2

match ip clients2 172.16.20.0 255.255.255.0 servers any static translation to 172.16.20.0

clients3

match ip clients3 172.16.30.0 255.255.255.0 servers any static translation to 172.16.30.0

So after adding this in ASDM they can ping the server network.

The problem now exists that they cannot ping each other on the same interface can anyone shed some light now.

Question as well with the command

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface, would I have to configure rules for them to talk to each other provided the first issue is resolved?

Re: Vlans on same interface, using sub interface no comm

ibl.contracts — Mon, 19 Nov 2007 12:12:59 GMT

Can anyone please help?

Re: Vlans on same interface, using sub interface no comm

rigoberto.cintron — Mon, 19 Nov 2007 14:54:02 GMT

You still need to create acl's allowing the traffic between the interfaces.

Re: Vlans on same interface, using sub interface no comm

ibl.contracts — Mon, 19 Nov 2007 20:50:45 GMT

Doesn't

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

do this?

by the way though i've configured all subnets on the subinterface to allow ip and still no resolution.

Re: Vlans on same interface, using sub interface no comm

sbaddipudi — Tue, 20 Nov 2007 01:08:49 GMT

I know for sure you need the ACLs on the FWSM. I am not 100% sure for ASA or PIX.

Satya

topic Re: Vlans on same interface, using sub interface no comm in Network Security

Vlans on same interface, using sub interface no comm

Re: Vlans on same interface, using sub interface no comm

Re: Vlans on same interface, using sub interface no comm

Re: Vlans on same interface, using sub interface no comm

Re: Vlans on same interface, using sub interface no comm