Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
799
Views
0
Helpful
5
Replies

adding a VLAN to ASA

tato386
Level 6
Level 6

‎11-13-2012 12:49 PM - edited ‎03-11-2019 05:23 PM

I have a very basic ASA that is using the default VLAN1 for internal private subnet and VLAN2 for public subnet.  I want to add a third subnet VLAN3 that will be private, security level 100 and NATed out the ASA.  I also want to be able to communicate freely between VLAN1 and VLAN3.  So question is:

Should I use a third physical port configured as access port for VLAN3?

Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?

In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?

Thanks,

Diego

Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-13-2012 01:08 PM

Should I use a third physical port configured as access port for VLAN3?

Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?

     That depends on what you want for your network design, 

In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?

     Yes, but if you have nat-control on then you will need create some NAT rules to allow traffic back and forward.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

tato386
Level 6
Level 6
In response to Julio Carvajal

‎11-13-2012 01:17 PM

I simply want the two private nets to talk to each other thru the ASA without NAT or rules and for both of the private nets to be NATed to the public.  Don't know of any easier way to state that.  I guess I want the ASA to be a router? 

The ASA is running 6.3 and I believe the nat-control doesn't come into play until 7.x, no?

Rgds,

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to tato386

‎11-13-2012 01:42 PM

Hello Diego,

What is the ASA version, You just told us 6.3 but that is for ASDM.

Okey if that is the case you could use Identity NAT and just the same-security and that will do it

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

tato386
Level 6
Level 6
In response to Julio Carvajal

‎11-13-2012 02:36 PM

Sorry, ASA version is 8.2.  What is identify NAT.  I have heard the term but not familar with it.

Thanks

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to tato386

‎11-13-2012 02:52 PM

Hello,

Is just nat X to X.

So its like translate something to itself

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card