01-26-2014 07:36 PM - edited 03-11-2019 08:36 PM
Hi there,
I am running into a problem but I don't know if this is a limitation of my device or a configuration problem. I appreciate any help or advice from any of you. Here's my scenario:
I have an ASA 5505 only 3 VLAN allowed because of the license apparently
so VLAN 1 (inside), VLAN 2 (outside) and VLAN 3 (DMZ but in my case I call it TEST)
I set vlan 3 with security level 100 as I am using it for an internal network connection. I don't have a router and was in need of two networks network 1 for inside 10.10.10.X and network 2 running on VLAN 3 TEST 20.20.20.X
What I want to do is be able to communicate between VLAN 3 and VLAN2 and vice-versa. since they are both internal LANs I added an ACL to allow all ip traffic coming from one interface to the other.
Someone mentioned that this is not possible because of the type of appliance I have. That the license was restricting me to pass traffic between both interfaces. I don't know if this is right or wrong that is why I am requesting your helps guys.
I will really appreciate your help on this.
Gabriel.
01-26-2014 10:37 PM
VLANs:
Routed Mode:
Base License: 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other
zone)
So it can work, I would say.
You need the command
same-security-traffic permit inter-interface
01-27-2014 12:05 AM
Hi,
So seems you have Base License ASA5505 with 3 Vlan limitation (2 normal 1 resricted)
This essentially means that your 2 Vlans will NOT be restricted with regards where they can form connections. But the third Vlan will have to be restricted towards either of the 2 other Vlans or the interface can not be enabled.
Typically this setup is done so that the 3rd Vlan is used as DMZ therefore making it logical to limit connectivity towards the LAN as that is basically how DMZs should behave.
You can naturally approach the situation a bit differently. You could configure this restriction from your "outside" to your "dmz" since this is probably not used to host any services to the public network? Or atleast that what I understood? This would essentially configure the limitation from "outside" to "dmz" but would leave your "dmz" and "inside" without any restrections in communication.
You might initially have this configuration
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x y.y.y.y
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
Now if you were to add the third Vlan you could try doing this (provided you dont have to have any access from "outside" to "dmz")
ASA(config)# interface Vlan 3
ASA(config-if)# exit
ASA(config)# interface Vlan 2
ASA(config-if)# no forward interface Vlan3
ASA(config-if)# exit
ASA(config)# interface Vlan 3
ASA(config-if)# nameif test
ASA(config-if)# security-level 100
ASA(config-if)# ip address x.x.x.x y.y.y.y
The reason for the above order is the fact that you can not enable a third interface with the "nameif" command until you have a restriction in place. So you first create the new Vlan interface (without other configurations) and then move to the interface from which you want the restriction and apply it there. Then you are free to configure the third inteface as you see fit.
If you decide to use same "security-level" on the interface then you will naturally need the command enable that Peter above provided.
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide