Yes, I have a flat network and all routing is done by my core 6513.

Mike

So I take it that you have 2 SVI interfaces one in 10.100.10.0/28 and the other in 10.71.180.128/25 ?

Yes here is my config.

Mike

Mike,

If you have a 6513 that is performing IP routing, why are you not just routing between the 2 SVI interfaces in the 6513??

Do you have a specific requirement to put vlan 71 and vlan 100 behind a firewall to protect them from each other?

The way we structure our PCI compliance networks is to place them behind an ASA. VLAN71 is the network that needs to be isolated, but I have a server in VLAN that exchanges information with one of the server in VLAN71. Vender needs to come in from outside to mange the server in VLAN71

OK - firstly from the config you posted, the interface in VLAN100 E0/4 is shutdown, you need to open it.

Secondly I would change the VLAN100 security level from 100 to a lower number. As interfaces with the same level do not have to go thru an access-list. Currently this breaks your PCI compliance.

Thirdly just to make sure I would configure a NAT exemption between the 2 VLAN interfaces.

HTH>

E 0/5 is now active, lowered security level to 0 on VLAN 100

But I don't really understand the NAT excemption rule. I want 10.100.10.1 to be able to access 10.71.180.136 (inside network) server.

Mike

OK - personally I would have the security level to 50 - then I know

My inside is 100 = totally trusted

My outside is 0 = totally un-trusted

My VLAN100 is 50 = can access the internet, but I need to write an acl for traffic originating in the VLAN100 to the inside.

You must look at your NAT - bu default all traffic passing from a lower interface to a higher and vice versa is natt'ed.

So I would have something likeP:-

global (outside) 1 interface

nat (inside) 1 w.w.w.w x.x.x.x

nat (VLAN100) 1 y.y.y.y z.z.z.z

The above will NAT all traffic to the internet using the outside IP address, then the nat exemption

access-list no-nat permit ip w.w.w.w x.x.x.x y.y.y.y z.z.z.z

access-list no-nat-permit ip y.y.y.y z.z.z.z w.w.w.w x.x.x.x

nat (inside) 0 access-list no-nat

nat (VLAN100) 0 access-list no-nat

The above tells the firewall not to nat when the source and destinatiobn match = everything else should be natt'ed.

w.w.w.w x.x.x.x = VLAN 71 IP subnet & mask

y.y.y.y z.z.z.z = VLAN100 IP subnet & mask

Then you need to allow access from server to server

access-list allow-server permit ip host 10.100.10.1 host 10.71.100.136

access-group allow-server in interface VLAN100

HTH>

It would not allow me to enter

nat(VLAN100) 1 10.100.10.0 255.255.255.128

Currently there is no nameif for the interface. So I attempted to add on. here is the error I got.

ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

Do i need to upgrade the license first?

Mike

This error has occured due to a license limitation on ASA. You need to obtain the Security Plus license in order to configure more VLANs as in routed mode. Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.

go to:-

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1931294

for the "forward interface" command & explaination.

HTH>

I think that you could just move the "outside" off VLAN 2 and into a specific interface - then you can have 2 vlans without having to upgrade!

Actually just thinking about it another possible solution would be:-

Move the inside interface into it's own interface. Then create a sub-interface and tag it with a vlan id.

On your switch either make the physical port conneecting to the ASA a trunk port or.......have it as a normal switch port in the inside VLAN, then if your switch supports it use the AUX vlan for your DMZ.

HTH>

No VLAN 100 does not have to access outside interface, just talk to server on inside VLAN.

I have configured everything for nat exemption and added no forward command to outside interface. (vlan 2). I went ahead and confiured two test laptops on in vlan 71 (inside) 10.71.180.135 and one in VLAN 100, 10.100.10.114. To check connectivity I pinged from inside ip to VLAN 100 on the ASA CLI and I am good, but can't ping from 10.100.10.114 ip to computer on inside interface or ping inside interface.

Thanks for your help.

Mike