ASA 5505 inter vlan access

allgama123 · ‎01-26-2014

Hi there,

I am running into a problem but I don't know if this is a limitation of my device or a configuration problem. I appreciate any help or advice from any of you. Here's my scenario:

I have an ASA 5505 only 3 VLAN allowed because of the license apparently

so VLAN 1 (inside), VLAN 2 (outside) and VLAN 3 (DMZ but in my case I call it TEST)

I set vlan 3 with security level 100 as I am using it for an internal network connection. I don't have a router and was in need of two networks network 1 for inside 10.10.10.X and network 2 running on VLAN 3 TEST 20.20.20.X

What I want to do is be able to communicate between VLAN 3 and VLAN2 and vice-versa. since they are both internal LANs I added an ACL to allow all ip traffic coming from one interface to the other.

Someone mentioned that this is not possible because of the type of appliance I have. That the license was restricting me to pass traffic between both interfaces. I don't know if this is right or wrong that is why I am requesting your helps guys.

I will really appreciate your help on this.

Gabriel.

Peter Koltl · ‎01-26-2014

VLANs:

Routed Mode:

Base License: 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other

zone)

So it can work, I would say.

You need the command

same-security-traffic permit inter-interface

Jouni Forss · ‎01-27-2014

Hi,

So seems you have Base License ASA5505 with 3 Vlan limitation (2 normal 1 resricted)

This essentially means that your 2 Vlans will NOT be restricted with regards where they can form connections. But the third Vlan will have to be restricted towards either of the 2 other Vlans or the interface can not be enabled.

Typically this setup is done so that the 3rd Vlan is used as DMZ therefore making it logical to limit connectivity towards the LAN as that is basically how DMZs should behave.

You can naturally approach the situation a bit differently. You could configure this restriction from your "outside" to your "dmz" since this is probably not used to host any services to the public network? Or atleast that what I understood? This would essentially configure the limitation from "outside" to "dmz" but would leave your "dmz" and "inside" without any restrections in communication.

You might initially have this configuration

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x y.y.y.y

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

Now if you were to add the third Vlan you could try doing this (provided you dont have to have any access from "outside" to "dmz")

ASA(config)# interface Vlan 3

ASA(config-if)# exit

ASA(config)# interface Vlan 2

ASA(config-if)# no forward interface Vlan3

ASA(config-if)# exit

ASA(config)# interface Vlan 3

ASA(config-if)# nameif test

ASA(config-if)# security-level 100

ASA(config-if)# ip address x.x.x.x y.y.y.y

The reason for the above order is the fact that you can not enable a third interface with the "nameif" command until you have a restriction in place. So you first create the new Vlan interface (without other configurations) and then move to the interface from which you want the restriction and apply it there. Then you are free to configure the third inteface as you see fit.

If you decide to use same "security-level" on the interface then you will naturally need the command enable that Peter above provided.

Hope this helps

- Jouni