Thank you for the reply.

Hmm, that means traffic from one vlan to another must be inspected by the ASA.Is there any way to bypass the traffic inspection between vlans ? same security level for vlans perhaps ?

exactly and check out the command 'same-security-traffic permit inter-interface'

That does not work for clear text traffic.As of now only for IPSEC traffic.So the best solution in ur case is the one given above by configuring the sub interface

Ok it did not go well.Here is what i did

In ASA 5510 running 7.0

interface Ethernet0/0

duplex full

no nameif

security-level 10

no ip address

!

interface Ethernet0/0.1

description Management VLAN

vlan 1

nameif MGMT

security-level 95

ip address 10.150.10.1 255.255.255.0

!

interface Ethernet0/0.2

description Server VLAN

vlan 2

nameif ftp

security-level 10

ip address 10.150.20.1 255.255.255.0

!

2960 Switch Config

interface G0/44

description Connection to ASA

switchport trunk allowed vlan all

switchport mode trunk

duplex full

speed 100

I checked the trunking was 802.1q since this IOS did not allow "switchport trunk encapsulation dot1q"

I cant ping between vlan 1 and vlan2.

and i did use the same-security permit inter-vlan.

Anything i am missing here ?

Thanks

HI .. assuming int g0/44 on your switch is connected to port Ethernet0/0 of the ASA then the config seems Ok HOWEVER, you also need to configure nat and access-list in order to get traffic flow between interfaces. rememmber traffic from higher priority will flow to the lower by default but you aslo need to configure nat / global pairs. TRaffic from lower to higher security will not flow by default. You need to specifically allow this and use static nats for it .. confused ..? a quick example ..

for traffic from VLAN 1 to VLAN2 you need.

nat (MGMT) 1 0 0

global (ftp) 1 interface

access-list Inside_Out extended permit ip any any

access-group Inside_Out in interface MGMT

For traffic from VLAN 2 to VLAN1 you would need

static (MGMT,ftp) x.x.x.x y.y.y.y netmask 255.255.255.255

access-list Outside_In extended permit ip any host x.x.x.x

access-group Outside_In in interface ftp

where x.x.x.x is the IP address you need to reach from the VALN2 and y.y.y.y is the real Ip address of teh device located on the VLAN1

Make sure to enable application inspection by enabling the default global-policy ( disabled by default) otherwise you might find that pings might not work between interfaces

policy-map global-policy

class global-class

inspect sqlnet

inspect h323 ras

inspect xdmcp

inspect tftp

inspect icmp error

inspect rtsp

inspect sunrpc

inspect mgcp

inspect esmtp

inspect netbios

inspect sip

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect rsh

inspect ftp

inspect ils

inspect h323 h225

inspect dns

inspect skinny

I hope it helps .. please rate if it does !!!

Thank you.I will try the chnages today and let you guys know.

I made all three interfaces same security level 100 and used "same-security permit inter-interface".I assume with this approach i dont have to create NAT/access lists But that did not make any differrence.

To expand on Fernando's post, istead of creating NAT's and globals, it might be easier to move the traffic using what I call subnet statics, such as-

static (inside,dmz) 172.1.1.0 172.1.1.0 netmask 255.255.255.0