01-19-2017 03:18 AM - edited 03-12-2019 01:48 AM
Hello everyone, I am new to SA I want to set up an ASA 5525 on a local network in there are VLANs (Vlan print vlan server vlan client vlan wifi Vlan DMZ )
I want how I can configure it and communicate the print and server vlan and client to each other
And for the DMZ it must be consulted in public and internally by vlan server and client
thank you in advance
01-21-2017 06:43 AM
We would need to know more about your network setup to provide a suggestion for configuration. For example, if each VLAN is connecting to its own ASA interface or will there just be one interface or a portchannel configured with subinterfaces?
If you are setting this up using a single interface or bundled etherchannel interface then you would need to configure subinterfaces on the ASA, assign the vlan to each interface using the vlan "vlan number" command and then configure the switch interface connecting to the ASA as a trunk.
Marvin has already explained how to do it if each will be connected to their own interface.
--
Please remember to select a correct answer and rate helpful posts
01-27-2017 08:51 AM
If they are same security level then you only need to add "same-security traffic inter-interface" command.
If they are different security levels then by default higher security can talk to lower security unless you have an ACL on the input of the higher security interface - then you would need to explicitly allow the traffic in the ACL.
Similarly, lower security needing to talk to higher security needs an explicit ACL applied on the lower security interface (input direction).
See this thread for some earlier discussion on this topic:
https://supportforums.cisco.com/discussion/13008881/asa-same-security-traffic-permit-inter-interface-vs-access-list-permitdeny
01-27-2017 08:51 AM
Hellon,
My architecture its :
for the internal vlan (they have the same physical interface " subinterfaces"):
Vlan 2server (172.16.1.0/24)
Vlan 3 desktop (172.16.2.0/24)
Vlan 4 printer (172.16.3.0/24)
and
Vlan 5 DMZ (172.16.4.0/24)
For the vlan DMZ it has a unique physical interface. I have an application web server in the zone DMZ which must communicate with a server in the vlan 2 for the replication MSSQL
01-28-2017 06:50 PM
vlan 2 , 3, 4 are same security level?
04-04-2017 01:45 AM
hello
yes
01-27-2017 09:35 AM
If they are different security levels then by default higher security can talk to lower security unless you have an ACL on the input of the higher security interface - then you would need to explicitly allow the traffic in the ACL.
Similarly, lower security needing to talk to higher security needs an explicit ACL applied on the lower security interface (input direction).
See this thread for some earlier discussion on this topic:
https://supportforums.cisco.com/discussion/13008881/asa-same-security-tr...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide