cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
604
Views
0
Helpful
5
Replies

adding a VLAN to ASA

tato386
Level 6
Level 6

I have a very basic ASA that is using the default VLAN1 for internal private subnet and VLAN2 for public subnet.  I want to add a third subnet VLAN3 that will be private, security level 100 and NATed out the ASA.  I also want to be able to communicate freely between VLAN1 and VLAN3.  So question is:

Should I use a third physical port configured as access port for VLAN3?

Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?

In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?

Thanks,

Diego

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Should I use a third physical port configured as access port for VLAN3?

Or, should I make the existing VLAN1 port a trunk port and add VLAN3 to it?

     That depends on what you want for your network design, 

In either case, if I add, "same-security-traffic permit inter-interface" or "same-security-traffic permit intra-interface" would this be enought to allow both private nets to talk?

     Yes, but if you have nat-control on then you will need create some NAT rules to allow traffic back and forward.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I simply want the two private nets to talk to each other thru the ASA without NAT or rules and for both of the private nets to be NATed to the public.  Don't know of any easier way to state that.  I guess I want the ASA to be a router? 

The ASA is running 6.3 and I believe the nat-control doesn't come into play until 7.x, no?

Rgds,

Hello Diego,

What is the ASA version, You just told us 6.3 but that is for ASDM.

Okey if that is the case you could use Identity NAT and just the same-security and that will do it

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sorry, ASA version is 8.2.  What is identify NAT.  I have heard the term but not familar with it.

Thanks

Hello,

Is just nat X to X.

So its like translate something to itself

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card