vlan problem in asa 5510 - Page 2

halooos111 · ‎10-27-2011

Hallo Community,

iam new in asa world so i need your help very much!!

i have to config a new vlan(its name vlan220, ip: x.x.220.0/24), vlan220 must have internet and should communicate with another vlan(its name vlan200, ip: x.x.200/24).

in ASDM device setup > interfaces i confg the vlan220 so i have now the following:

Ethernet0/1.200 security level 50 and

Ethernet0/1.220 security level 50

but i dont know how to go on so that the 2 vlans can communicat and vlan220 to get internet!!!

can somebody help me?

is there maybe a step by step guide?

Thank you very much

Best regards Tony

cadet alain · ‎10-28-2011

Hi,

Can you post: sh access-list and sh run access-group

And the packet tracer output for this communication, is the ASA directly connected to the internet or is there a router?

Alain.

Don't forget to rate helpful posts.

halooos111 · ‎10-28-2011

the asa is directly connected to internet

sh access-list

access-list DMZ2_nat0_outbound; 1 elements; name hash: 0xe670bc2b

access-list DMZ2_nat0_outbound line 1 extended permit ip x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 (hitcnt=0) 0xe5ee4ebd

access-list DMZ2_access_in; 3 elements; name hash: 0x6faec76d

access-list DMZ2_access_in line 1 extended permit icmp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 (hitcnt=1501) 0x0cbd4f33

access-list DMZ2_access_in line 2 extended permit tcp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 eq www (hitcnt=79) 0xc68228fc

access-list DMZ2_access_in line 3 remark Implicit rule

access-list DMZ2_access_in line 4 extended permit tcp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 eq domain (hitcnt=2) 0x76a21af6

sh run access-group

access-group inside_access_in in interface inside

access-group DMZ1_access_in in interface DMZ1

access-group outside_access_in in interface outside

access-group DMZ2_access_in in interface DMZ2

how can i also permint traffic between 2vlans with different security level because my boss told me yesterday in the afternoon that dmz2 may have security level 90, and the traffic between the 2 DMZ shall be controlled through the aceess lists! in NAT rule i changed the static one to NAT Exempions is this right what i changed?

Tony

cadet alain · ‎10-29-2011

Hi,

By default NAT-control is disabled so it's not mandatory to do NAT for traffic flowing from a high security level to a low security level.So you can delete all nat entries for traffic between the 2 DMZs and just leave the NAT for each DMZ to outside.

You can then apply ACLs inbound or outbound to permit/deny traffic between the 2 DMZs

Now concerning the DMZ2 not going to internet:

DMZ2_access_in ACL applied inbound is the same as the NAT 0 ACL that is permitting traffic between 2 subnets but then with the explicit deny at the end deny traffic from DMZ2 to internet.

As DMZ2 has a higher security level than internet all you have to do for traffic from DMZ2 to internet is just inspect icmp and nothing else unless you wanted some type of traffic to be denied.

So modify this ACL to permit specific traffic to internet and for icmp just inspect icmp in service-policy.

As this DMZ will have level 90 and the other level 50, you won't need any ACL for traffic from DMZ2 to DMZ1 and return traffic but you'll need one for traffic from DMZ1 to DMZ2.

Alain.

Don't forget to rate helpful posts.

halooos111 · ‎11-07-2011

hallo People,

thank you very much for your help, you solved my problrm

Tony