Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
6
Replies

ASA 5525 Inter Vlan

mmarouan
Level 1
Level 1

‎01-19-2017 03:18 AM - edited ‎03-12-2019 01:48 AM

Hello everyone, I am new to SA I want to set up an ASA 5525 on a local network in there are VLANs (Vlan print vlan server vlan client vlan wifi Vlan DMZ )
I want how I can configure it and communicate the print and server vlan and client to each other
And for the DMZ it must be consulted in public and internally by vlan server and client


thank you in advance

Labels:
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎01-21-2017 06:43 AM

We would need to know more about your network setup to provide a suggestion for configuration.  For example, if each VLAN is connecting to its own ASA interface or will there just be one interface or a portchannel configured with subinterfaces?

If you are setting this up using a single interface or bundled etherchannel interface then you would need to configure subinterfaces on the ASA, assign the vlan to each interface using the vlan "vlan number" command and then configure the switch interface connecting to the ASA as a trunk.

Marvin has already explained how to do it if each will be connected to their own interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-27-2017 08:51 AM

If they are same security level then you only need to add "same-security traffic inter-interface" command.

If they are different security levels then by default higher security can talk to lower security unless you have an ACL on the input of the higher security interface - then you would need to explicitly allow the traffic in the ACL.

Similarly, lower security needing to talk to higher security needs an explicit ACL applied on the lower security interface (input direction).

See this thread for some earlier discussion on this topic:

https://supportforums.cisco.com/discussion/13008881/asa-same-security-traffic-permit-inter-interface-vs-access-list-permitdeny

0 Helpful

mmarouan
Level 1
Level 1
In response to Marvin Rhoads

‎01-27-2017 08:51 AM

Hellon,

My architecture its : 

for the internal vlan (they have the same physical interface " subinterfaces"):
Vlan 2server (172.16.1.0/24)
Vlan 3 desktop (172.16.2.0/24)
Vlan 4 printer (172.16.3.0/24)

and 
Vlan 5 DMZ (172.16.4.0/24)
For the vlan DMZ it has a unique physical interface. I have an application web server in the zone DMZ which must communicate with a server in the vlan 2 for the replication MSSQL

0 Helpful

MANI .P
Level 1
Level 1
In response to mmarouan

‎01-28-2017 06:50 PM

vlan 2 , 3, 4 are same security level? 

0 Helpful

mmarouan
Level 1
Level 1
In response to MANI .P

‎04-04-2017 01:45 AM

hello 

yes 

0 Helpful

Farhan Mohamed
Cisco Employee
Cisco Employee

‎01-27-2017 09:35 AM

If they are different security levels then by default higher security can talk to lower security unless you have an ACL on the input of the higher security interface - then you would need to explicitly allow the traffic in the ACL.

Similarly, lower security needing to talk to higher security needs an explicit ACL applied on the lower security interface (input direction).

See this thread for some earlier discussion on this topic:

https://supportforums.cisco.com/discussion/13008881/asa-same-security-tr...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card