Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
3
Replies

ASA 5505 Managing Inter-VLAN comms

josh
Community Member

‎07-07-2016 08:11 AM - edited ‎03-12-2019 01:00 AM

I'm starting to setup VLAN's on my ASA and having a bit of trouble getting inter VLAN to work.

Previously, i had VLAN1 (inside interface) and VLAN2 (outside interface).

I've added VLAN31 and assigned it to a port. I configured DHCP and Dynamic PAT for VLAN31 and it now has internet connection.

VLAN1 and VLAN31 are both security level 100.

The implicit ACL for "permit traffic to less secure" was automatically created.

I believe all i need to do to enable cross-VLAN communication at this point is change the implict over to SAME lever, instead of less.

Can't figure out how to do this in ASDM 6.4

When i try to create an ACL to allow traffic from VLAN31 to VLAN1 it overwrites the Less secure ACL. I'm not sure if this would distrub communication to VLAN2 (security level 0) so i haven't applied it (it's during busienss hours).

Any advice would be appreciated.

Thanks,

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP Alumni
VIP Alumni

‎07-07-2016 01:10 PM

The security levels are only used so long as there is no ACL applied to the interface I look at it as a fall-back incase the interface ACL is removed so there is some kind of protection at least.  If you do add ACL to an interface be sure that you allow traffic to all networks that need to be reached.  Optionally, add deny statements for subnets that traffic should not be able to reach and then add a permit IP any any at the end.  Keep in mind that permit IP any any should never be applied to the outside interface.

What ASA model are you using? from the way you are describing the setup it sounds like it is an ASA5505.  If this is the case make sure you have the security plus license installed.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

josh
Community Member

‎07-11-2016 11:25 AM

It is a 5505. It is licensed for 20 VLAN's.

I've checked the box on the interfaces tab of ASDM to allow same-level communication.

I've also run the command from terminal to allow same-level communication. I've confirmed this took through a show running-config and it shows this is set.
The ASA still has implicit "any less secure network" for both of the VLAN's \ Interface.

I tried to write ACL's to allow communication between the VLAN's, but this "un-did" the implicit rules and took down internet access. I spent about 30 minutes trying to build up all of the ACL's i'd need, but wasn't having any luck so I pulled out the ACL's to get the system running again.

Some points or a guide for writing ACL's on the ASA5505 would be very helpful.

Thanks

0 Helpful

Marius Gunnerud
VIP Alumni
VIP Alumni
In response to josh

‎07-11-2016 01:45 PM

You have to understand that security levels are only in effect if there is no access-list assigned to the interface.  Once you assign an ACL to the interface then the implicit deny at the end of the list will take affect.

Writing ACLs is not that hard.  Place all your deny statements at the top of the list so if subnet x.x.x.0/25 should not be able to reach subnet y.y.y.0/24 then add a deny rule for this at the top of the list and then a permit IP any any for internet access.  Once you have your deny statements in place and the permit IP any any at the end then you can start to add permit statements (if needed) for specific addresses in the y.y.y.0/24 subnet.  Remember that the outside interface, or internet facing interface should never have a permit IP any any in it.

You can also run a packet-tracer to simulate a packet passing through the ASA to see if it will be dropped or not. Run it in both directions as it only checks rules from the ingress interface to the egress interface and not for the return traffic, though return traffic should be taken care of by the entry being in the connection being in the state table.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Also, If you are using ping to test be sure that the ASA is inspecting ICMP

policy-map global_policy
 class inspection_default

   inspect icmp

What ASA version are you running?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card