09-22-2010 10:18 PM - edited 03-11-2019 11:43 AM
Hi All,
I am kind of dilemma to design my network for Inter VLAN routing. Here is the scenario
I have 1 ASA-5510, 1 outside interfaces and 2 inside interfaces. both Inside interfaces were working perfect for internet. Now we have requirement to configure those 1 interfaces in such a manner so that they both inside interfaces can communicate to each other.
Also We have need for 3 more IP network need to define for our network.
What I did , I disturbed 1 inside interface and created sub interfaces with static IP on it. Now I am not able to get internet connectivity if I am changing Host IP to specific range.
We Don't have manageable switch
Please help.
I am looking for 2 things
1.> Will I be able to get all the subinterfaces communicating to each other with Internet connectivity?
2.> If not Can I create communication between 2 inside interfaces without creating sub interfaces.?
09-23-2010 04:20 AM
The answer to both your questions is YES.
Looking at your current configuration, you are missing the following command for connectivity between all the internal networks:
same-security-traffic permit inter-interface
For connectivity to the internet from all the internal networks, you are missing the following commands:
nat (inside-VL15) 1 192.168.15.0 255.255.255.0
nat (inside-VL17) 1 192.168.17.0 255.255.255.0
nat (inside-VL18) 1 192.168.18.0 255.255.255.0
nat (inside-VL19) 1 192.168.19.0 255.255.255.0
Hope that helps.
09-23-2010 11:58 AM
Hi,
I tried the config but I am not able to get the connection up.
for now we changed the scenario and using 1 oueside interface and 3 inside interfaces.
all these 3 interfaces are communicating to outside interface.
Please let me know how should I configure these 3 interfaces to communication to each other.
09-23-2010 01:55 PM
Could you post your current Show version.
To comunicate the interfaces to each other all the interfaces will need the SAME security level lets say 100 and the command same-security-traffic permit inter-interface.
09-23-2010 05:34 PM
09-23-2010 08:58 PM
apart from same security commands you need to do u turning on the router
firstly i assume your requirement is such that you do not want to nat the host shwne they need to talk internally
so we need to exempt nat for the traffic betwen one side interface to other so just add these networks in the nat exemtion access-list you already have
you can add this traffic in this acl access-list inside_nat0_outbound
for example for between vl17 to vl
access-list inside_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.15.0 255.255.255.0
do the same for the rest of the traffic
once you do that you will be able to ping and pass udp traffic but you might have prob with tcp if so then do tcp state by passs by following the below link
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide