Cisco ASA 5555 X with FTD Specific subinterface communication

pankajsingh87 · ‎11-17-2017

Hi,

In the case of multiple sub-interfaces with the same security level, I only want specific ones to talk to each other. Would a ACLs be used in this case?

Also, would there be any need to NAT the traffic?

Is there any specific licensing requirements to create vlan subinterfaces.

Thanks,

Flavio Miranda · ‎11-18-2017

Hi @pankajsingh87

Via ASDM you uncheck the option:

"enable traffic between two or more interfaces with same security level"

Then you need ACL to permit traffic between subinterfaces.

It is not necessary license and NAT is necessary for internet access and in some specific situation between inside networks.

-If I helped you somehow, please, rate it as useful.-

Julio Carvajal · ‎11-18-2017

Hi There,

In the case of multiple sub-interfaces with the same security level, I only want specific ones to talk to each other. Would a ACLs be used in this case?

A/If you want to filter traffic between interfaces or sub-interfaces with the same security level you will have to use ACLs (do not enable the " same-security-traffic permit inter-interfacece" feature as that would do the opposite as of what you are looking for)

Also, would there be any need to NAT the traffic?

A/You got to be careful in here!!! NAT should only be used when you need it (for example when having to use a public Ip to be routable).

In this case I would assume the sub-interfaces are private IP addresses so NAT wont be needed.

Is there any specific licensing requirements to create vlan subinterfaces.

No, there are not

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC