08-13-2014 01:35 PM - edited 03-11-2019 09:37 PM
I have a slightly odd request due to audits. I am being asked to put an ASA firewall between 2 VLANs and the other VLANs on my 4510R+E. I thought I could just disable routing on the 2 VLANs on the switch and forward the traffic to the ASA allowing it to act as the default router for the 2 VLANs that need to be segregated. My problem is I cannot get traffic to pass through correctly and think NAT is having issue.
Setup
VLANs ASA Switch
10.1.2.X <> 10.1.2.1 port 2
10.1.0.X <> 10.1.0.1 port 1
10.1.100.30 port 3 <> 10.1.100.20
The ASA can ping the switch and the devices on the 2 VLANs on port 1 and port 2 but traffics will not pass correctly.
Solved! Go to Solution.
08-13-2014 02:12 PM
That should work as expected. First make sure that you disable NAT for that traffic as it's probably not needed. If your two interfaces have the same security-level, then you need the command "same-security-traffic permit inter-interface".
08-13-2014 02:12 PM
That should work as expected. First make sure that you disable NAT for that traffic as it's probably not needed. If your two interfaces have the same security-level, then you need the command "same-security-traffic permit inter-interface".
08-14-2014 06:31 AM
Setting the "permit traffic for same security level" did it. The one thing I overlooked. Thanks!
08-13-2014 02:24 PM
If you can share the firewall configuration, we can help better.
At a mimumum, please run packet-tracer and let us know the outcome.
That ASA cli tool (also available in the ASDM GUI) lets you trace a hypothetical flow through the ASA an identify the outcome. For example:
packet-tracer input [nameif assigned to port 2] tcp source 10.1.2.20 1025 10.1.200.20 80
In the example I used hypothetical host at 10.1.2.20 using source port 1025 trying to talk to the switch on port 80. The addresses and ports can be adjusted to suit your environment - just make sure not to use the ASA itself as the source address as that will give invalid results.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide