01-15-2013 02:51 PM - edited 03-11-2019 05:47 PM
I am currently in pre-production on a firewall and running into some areas where the configuration is beyond my skill level. We have 3 vlans (DATA, VoIP, ISCSI) and need to have the ability to go back and forth between these vlans freely.
Upon researching a bit I came up with the following configurations required in order to make this inter-vlan routing work (8.2 firmware on ASA 5510):
static (Inside,ISCSI) Inside-DATA Inside-ISCSI netmask 255.255.0.0
static (Inside,VOIP) Inside-DATA Inside-VoIP netmask 255.255.0.0
static (ISCSI,Inside) Inside-ISCSI Inside-DATA netmask 255.255.0.0
static (VOIP,Inside) Inside-VoIP Inside-DATA netmask 255.255.0.0
global (Outside) 1 interface
nat (Inside) 1 Inside-DATA 255.255.0.0
nat (VOIP) 1 Inside-VoIP 255.255.0.0
nat (ISCSI) 1 Inside-ISCSI 255.255.0.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Upon updating to 9.1, I was lucky enough to get a spat of these:
The following 'nat' command didn't have a matching 'global' rule on interface 'Inside' and was not migrated.
nat (Inside) 1 Inside-DATA 255.255.0.0
The following 'nat' command didn't have a matching 'global' rule on interface 'VOIP' and was not migrated.
nat (Inside) 1 Inside-DATA 255.255.0.0
The following 'nat' command didn't have a matching 'global' rule on interface 'ISCSI' and was not migrated.
nat (Inside) 1 Inside-DATA 255.255.0.0
The following 'nat' command didn't have a matching 'global' rule on interface 'Inside' and was not migrated.
nat (VOIP) 1 Inside-VoIP 255.255.0.0
The following 'nat' command didn't have a matching 'global' rule on interface 'VOIP' and was not migrated.
nat (VOIP) 1 Inside-VoIP 255.255.0.0
The following 'nat' command didn't have a matching 'global' rule on interface 'ISCSI' and was not migrated.
nat (VOIP) 1 Inside-VoIP 255.255.0.0
I do not know what it will take to get the inter-vlan routing working. Attached is my config minus some of the confidential info.
Solved! Go to Solution.
01-15-2013 03:38 PM
You don't need to specify any NAT-rules if you don't need to nat.
So I would remove all nat-rules that don't have an (xxx, outside) in the rule. Without these rules you can route through your vlans. You still need ACLs on these interfaces to allow traffic.
And please don't attach your config as Word-file. A plain textfile is better to handle.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-15-2013 03:38 PM
You don't need to specify any NAT-rules if you don't need to nat.
So I would remove all nat-rules that don't have an (xxx, outside) in the rule. Without these rules you can route through your vlans. You still need ACLs on these interfaces to allow traffic.
And please don't attach your config as Word-file. A plain textfile is better to handle.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-16-2013 02:03 PM
I replaced the word document with an updated text document. Removed the nat rules and put in ACLS:
object-group network AllVLANS
network-object Inside-ISCSI 255.255.0.0
network-object Inside-VoIP 255.255.0.0
access-list VOIP_access_in extended permit ip 10.5.0.0 255.255.0.0 10.8.0.0 255.255.0.0
access-list Inside_access_in extended permit ip object-group AllVLANS 10.5.0.0 255.255.0.0
access-list ISCSI_access_in extended permit ip 10.5.0.0 255.255.0.0 object Inside-ISCSI-01
So this along with same-security-traffic permit inter-interface should allow the "Inside 10.5.0.0" vlan to access the ISCSI and VOIP networks?
Thanks for the help, greatly appreciated by this cisco padawan.
01-16-2013 02:31 PM
I think you screwed up your ACLs ...
The source is the network that is sitting on a specific interface, the destinations are the other networks. With that you need the following ACLs:
access-list Inside_access_in extended permit ip 10.5.0.0 255.255.0.0 object-group AllVLANS
access-list VOIP_access_in extended permit ip 10.8.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list ISCSI_access_in extended permit ip object Inside-ISCSI-01 10.5.0.0 255.255.0.0
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-16-2013 02:34 PM
Makes perfect sense. Thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide