Solved: ASA & Vlans

scott.bridges · ‎04-15-2010

Hello,

So I have an ASA5505 Security Plus with a couple VLANs:

interface Vlan1

description LOCAL VLAN

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan50

description TELEPHONE VLAN

nameif telecom

security-level 50

ip address 192.168.50.1 255.255.255.0

And Vlan100 is the WAN (outside).

I have a machine on Vlan50 that needs to communicate with one machine on Vlan1.

How is this accomplished when the ASA is doing the Layer3?

Thanks for any help.

Federico Coto Fajardo · ‎04-15-2010

With the ACL applied to the DMZ interface, you should be able to access 192.168.1.5 via any protocol (IP protocol).

Make sure that the server is allowed to receive connections from the source IP that you're coming from.

The ASA does not need an ''established'' kind of rule like on routers to allow the traffic back.

Federico.

View solution in original post

Federico Coto Fajardo · ‎04-15-2010

Hi,

If you need communication from VLAN 50 to VLAN 1, then you need a STATIC NAT and an ACL (because you come from a lower security interface to a higher security interface).

So, for example:

You want to communicate with machine 192.168.1.5

You need the following:

static (inside,telecom) 192.168.1.5 192.168.1.5

access-list telecom permit ip any host 192.168.1.5

access-group telecom in interface telecom

Just, change the permit ip for the kind of traffic you wish to allow.

Federico.

scott.bridges · ‎04-15-2010

Hi, thanks for the reply, very helpful!

One problem:

access-list telecomACL extended permit ip any host 192.168.1.5

access-list telecomACL extended permit icmp any any

I created the static as you said and applied the access-group.

From the Vlan50 I am now able to ping 192.168.1.5.

The only problem is, when I try to sent mail via SMTP (192.168.1.5 is the email server), it times out. So I tried to RDP in, and that's refused, too.

So I'm thinking that since all ICMP is allowed, that's why Pings are working, but while IP packets are being sent, the Vlan1 isn't allowed to communicate back? Is this correct?

Is there a "allow established" entry I should be entering? I forget exactly what it is.

Thanks again

Federico Coto Fajardo · ‎04-15-2010

With the ACL applied to the DMZ interface, you should be able to access 192.168.1.5 via any protocol (IP protocol).

Make sure that the server is allowed to receive connections from the source IP that you're coming from.

The ASA does not need an ''established'' kind of rule like on routers to allow the traffic back.

Federico.

scott.bridges · ‎04-16-2010

Damn,

So while I am now able to access 192.168.1.5 from Vlan50, Vlan50 is now *not* able to get out to the internet. I was able to before the ACL implementation.

I assume I need to allow traffic from the 'telecom' interface to the 'outside' interface.

What would this look like on an ASA?

access-list telecomOUT extended permit ip any any

access-group telecomOUT out interface outside

?

would that be it?