cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


319
Views
0
Helpful
6
Replies
Beginner

ASA 5525 Inter Vlan

Hello everyone, I am new to SA I want to set up an ASA 5525 on a local network in there are VLANs (Vlan print vlan server vlan client vlan wifi Vlan DMZ )
I want how I can configure it and communicate the print and server vlan and client to each other
And for the DMZ it must be consulted in public and internally by vlan server and client


thank you in advance

6 REPLIES 6
VIP Advocate

We would need to know more

We would need to know more about your network setup to provide a suggestion for configuration.  For example, if each VLAN is connecting to its own ASA interface or will there just be one interface or a portchannel configured with subinterfaces?

If you are setting this up using a single interface or bundled etherchannel interface then you would need to configure subinterfaces on the ASA, assign the vlan to each interface using the vlan "vlan number" command and then configure the switch interface connecting to the ASA as a trunk.

Marvin has already explained how to do it if each will be connected to their own interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Hall of Fame Master

If they are same security

If they are same security level then you only need to add "same-security traffic inter-interface" command.

If they are different security levels then by default higher security can talk to lower security unless you have an ACL on the input of the higher security interface - then you would need to explicitly allow the traffic in the ACL.

Similarly, lower security needing to talk to higher security needs an explicit ACL applied on the lower security interface (input direction).

See this thread for some earlier discussion on this topic:

https://supportforums.cisco.com/discussion/13008881/asa-same-security-traffic-permit-inter-interface-vs-access-list-permitdeny

Beginner

Hellon,

Hellon,

My architecture its : 

for the internal vlan (they have the same physical interface " subinterfaces"):
Vlan 2server (172.16.1.0/24)
Vlan 3 desktop (172.16.2.0/24)
Vlan 4 printer (172.16.3.0/24)

and 
Vlan 5 DMZ (172.16.4.0/24)
For the vlan DMZ it has a unique physical interface. I have an application web server in the zone DMZ which must communicate with a server in the vlan 2 for the replication MSSQL

Highlighted
Beginner

vlan 2 , 3, 4 are same

vlan 2 , 3, 4 are same security level? 

Beginner

hello  yes 

hello 

yes 

Cisco Employee

If they are different

If they are different security levels then by default higher security can talk to lower security unless you have an ACL on the input of the higher security interface - then you would need to explicitly allow the traffic in the ACL.

Similarly, lower security needing to talk to higher security needs an explicit ACL applied on the lower security interface (input direction).

See this thread for some earlier discussion on this topic:

https://supportforums.cisco.com/discussion/13008881/asa-same-security-tr...