Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
0
Helpful
5
Replies

VLAN Communication on ASA5510

Go to solution
jacobdixon
Level 1
Level 1

‎08-11-2012 03:48 PM - edited ‎03-11-2019 04:41 PM

Hey there!

I have a working environment but wondering if there is just a better way to accomplish what I am trying to do (without a layer 3 or 4 switch). Basically I have a few sub interfaces on my Cisco ASA5510.

Now what I do need is some of the VLANs to communicate with specific devices on the different VLANs. So for example I need computer 1 from VLAN 5 to communicate with 192.168.10.5 from VLAN 10 on ports 80 and 443. Is there a good way to accomplish this?

What I am currently doing is settings the security level to 100 on each interface (including the DMZ).

Here is what I have:

interface Ethernet0/1.5

vlan 5

nameif Sub5

security-level 100

ip address 192.168.4.254 255.255.255.0

interface Ethernet0/1.95

vlan 95

nameif Sub95

security-level 100

ip address 192.168.1.203 255.255.255.0

same-security-traffic permit inter-interface

static (Sub95,Sub5) 192.168.1.0 access-list Sub95_nat_static_1

static (Sub5,Sub95) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

access-list Sub95_nat_static_1 extended permit ip 192.168.1.0 255.255.255.0 host 192.168.4.15

Now I am doing this all with ASDM 6.4. My ASA image is 805-K8.

Is there an easier way to accomplish this than what I am doing? It just seems like a ton of NATs and whatknot? I am really using ASDM the most and not shell. I am also wondering how to allow more of a one way communication? Like sub interface 95 be able to communicate on certain ports and ip addresses to sub interface 5, but sub interface 5 not be able to communicate with 95

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-11-2012 04:06 PM

Instead of using static translations you can use NAT-exemption where you tell your ASA that traffic, that you specified in an nat0-ACL (for example Net5 to Net95) should not be translated. Then you apply an ACL to every interface and only allow the traffic you want.

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to jacobdixon

‎08-11-2012 10:29 PM

Yes, one ACL for NAT where you only specify the IP-traffic from Network to network. And every interface gets his own access-ACL with the specific allowed communication.

I typically write that ACL different:

access-list DMZ1-ACCESS-IN permit ... first line with permit to inside

access-list DMZ1-ACCESS-IN permit ... second line with permit to inside

access-list DMZ1-ACCESS-IN deny ip any object-group RFC1918

access-list DMZ1-ACCESS-IN permit ... here comes the permitted access to the internet

As all my actual and future inside networks are all in the RFC1918-range, I don't have to touch that deny-line when I add an additional IP-subnet to one of the inside-interfaces.

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎08-11-2012 04:06 PM

Instead of using static translations you can use NAT-exemption where you tell your ASA that traffic, that you specified in an nat0-ACL (for example Net5 to Net95) should not be translated. Then you apply an ACL to every interface and only allow the traffic you want.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
jacobdixon
Level 1
Level 1
In response to Karsten Iwen

‎08-11-2012 04:29 PM

Sorry for the novice questions but I'm just not very familiar with Cisco.

So do you mean something like:

access-list Sub5_nat0_outbound line 1 extended permit ip any 192.168.1.0 255.255.255.0

nat (Sub5) 0 access-list Sub5_nat0_outbound  tcp 0 0 udp 0

access-list Sub95_nat0_outbound line 18 extended permit ip any 192.168.4.0 255.255.255.0

What else would I need to do?

0 Helpful

Go to solution
jacobdixon
Level 1
Level 1
In response to Karsten Iwen

‎08-11-2012 04:47 PM

I am getting that NAT exempt to work and I can pass traffic but I am having issues limiting what traffic is allowed or not allowed with the ACL

0 Helpful

Go to solution
jacobdixon
Level 1
Level 1
In response to Karsten Iwen

‎08-11-2012 05:36 PM

Sorry for the post. I think I have it figured out.

So after doing the NAT Exempt and if the security levels are the same they can communicate 100% on every port and every host.

So I put in access list so Sub95 can talk to Sub5.

Basically I had to put ACL on Sub95 interface so it could talk to Sub5 (192.168.4.15) on port 25, then put a deny rule in after that going to that subnet, then put a permit rule in for any any so it can get out to the internet.

access-list Sub95_access_in extended permit tcp any host 192.168.4.15 eq smtp

access-list Sub95_access_in extended deny ip any object-group Inside_Networks

access-list Sub95_access_in extended permit ip any any

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to jacobdixon

‎08-11-2012 10:29 PM

Yes, one ACL for NAT where you only specify the IP-traffic from Network to network. And every interface gets his own access-ACL with the specific allowed communication.

I typically write that ACL different:

access-list DMZ1-ACCESS-IN permit ... first line with permit to inside

access-list DMZ1-ACCESS-IN permit ... second line with permit to inside

access-list DMZ1-ACCESS-IN deny ip any object-group RFC1918

access-list DMZ1-ACCESS-IN permit ... here comes the permitted access to the internet

As all my actual and future inside networks are all in the RFC1918-range, I don't have to touch that deny-line when I add an additional IP-subnet to one of the inside-interfaces.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card