07-01-2019 01:02 PM - edited 02-21-2020 09:15 AM
Hi,
I currently have a vlan setup as below on a ASA5516, other ports are unconnected, this is connected to a Cat3650 switch with the vlans setup.
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.10
vlan 10
nameif A
security-level 0
ip address 10.50.0.30 255.255.255.224
!
interface GigabitEthernet1/2.12
vlan 12
nameif B
security-level 0
ip address 10.50.0.62 255.255.255.224
!
interface GigabitEthernet1/2.20
vlan 20
nameif C
security-level 0
ip address 10.50.0.126 255.255.255.192
my issue is, i can ping and access within the same vlan, but am unsure how to go across vlans, but this has to be restricted, so for example only port 80 access between vlans A and B as an example.
I have atried a few things but with no luck up to now, as you can probably guss I am an absolute beginner with CISCO's, only ever used fortinets before.
please can somebody give me a starting point???
many thanks,
mark.
Solved! Go to Solution.
07-02-2019 02:58 AM
ok, just tried something ive seen on a video using packet-tracer , and i get the following:-
FW01# packet-tracer input D tcp 10.50.0.70 80 10.50.0.2 80 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fbd661aea80, priority=1, domain=permit, deny=false
hits=2453, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Scada, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.50.0.2 using egress ifc B
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fbd663c9d60, priority=110, domain=permit, deny=true
hits=2143, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Scada, output_ifc=any
Result:
input-interface: D
input-status: up
input-line-status: up
output-interface: B
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
so it looks like access list is automatically blocking any inter vlan traffic?
mark.
07-02-2019 03:10 AM
Hi,
Many thanks, it looks like it was a combination of things, it looks like the native vlan was causing issues on the port as now with no native vlan and Inter (yes i know, i would of thought intra???) specified I can now access all vlans from each other.
many thanks for you help GRANT3779.
I'll mark you down as the answer.
thanks,
mark.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide