I have a very basic ASA that is using the default VLAN1 for internal private subnet and VLAN2 for public subnet. I want to add a third subnet VLAN3 that will be private, security level 100 and NATed out the ASA. I also want to be able to communicate freely between VLAN1 and VLAN3. So question is:
Should I use a third physical port configured as access port for VLAN3?
Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?
In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?
Thanks,
Diego
Should I use a third physical port configured as access port for VLAN3?
Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?
That depends on what you want for your network design,
In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?
Yes, but if you have nat-control on then you will need create some NAT rules to allow traffic back and forward.
Regards
I simply want the two private nets to talk to each other thru the ASA without NAT or rules and for both of the private nets to be NATed to the public. Don't know of any easier way to state that. I guess I want the ASA to be a router?
The ASA is running 6.3 and I believe the nat-control doesn't come into play until 7.x, no?
Rgds,
Hello Diego,
What is the ASA version, You just told us 6.3 but that is for ASDM.
Okey if that is the case you could use Identity NAT and just the same-security and that will do it
Sorry, ASA version is 8.2. What is identify NAT. I have heard the term but not familar with it.
Thanks
Hello,
Is just nat X to X.
So its like translate something to itself