08-11-2012 03:48 PM - edited 03-11-2019 04:41 PM
Hey there!
I have a working environment but wondering if there is just a better way to accomplish what I am trying to do (without a layer 3 or 4 switch). Basically I have a few sub interfaces on my Cisco ASA5510.
Now what I do need is some of the VLANs to communicate with specific devices on the different VLANs. So for example I need computer 1 from VLAN 5 to communicate with 192.168.10.5 from VLAN 10 on ports 80 and 443. Is there a good way to accomplish this?
What I am currently doing is settings the security level to 100 on each interface (including the DMZ).
Here is what I have:
interface Ethernet0/1.5
vlan 5
nameif Sub5
security-level 100
ip address 192.168.4.254 255.255.255.0
interface Ethernet0/1.95
vlan 95
nameif Sub95
security-level 100
ip address 192.168.1.203 255.255.255.0
same-security-traffic permit inter-interface
static (Sub95,Sub5) 192.168.1.0 access-list Sub95_nat_static_1
static (Sub5,Sub95) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
access-list Sub95_nat_static_1 extended permit ip 192.168.1.0 255.255.255.0 host 192.168.4.15
Now I am doing this all with ASDM 6.4. My ASA image is 805-K8.
Is there an easier way to accomplish this than what I am doing? It just seems like a ton of NATs and whatknot? I am really using ASDM the most and not shell. I am also wondering how to allow more of a one way communication? Like sub interface 95 be able to communicate on certain ports and ip addresses to sub interface 5, but sub interface 5 not be able to communicate with 95
Solved! Go to Solution.
08-11-2012 04:06 PM
Instead of using static translations you can use NAT-exemption where you tell your ASA that traffic, that you specified in an nat0-ACL (for example Net5 to Net95) should not be translated. Then you apply an ACL to every interface and only allow the traffic you want.
Sent from Cisco Technical Support iPad App
08-11-2012 10:29 PM
Yes, one ACL for NAT where you only specify the IP-traffic from Network to network. And every interface gets his own access-ACL with the specific allowed communication.
I typically write that ACL different:
access-list DMZ1-ACCESS-IN permit ... first line with permit to inside
access-list DMZ1-ACCESS-IN permit ... second line with permit to inside
access-list DMZ1-ACCESS-IN deny ip any object-group RFC1918
access-list DMZ1-ACCESS-IN permit ... here comes the permitted access to the internet
As all my actual and future inside networks are all in the RFC1918-range, I don't have to touch that deny-line when I add an additional IP-subnet to one of the inside-interfaces.
Sent from Cisco Technical Support iPad App
08-11-2012 04:06 PM
Instead of using static translations you can use NAT-exemption where you tell your ASA that traffic, that you specified in an nat0-ACL (for example Net5 to Net95) should not be translated. Then you apply an ACL to every interface and only allow the traffic you want.
Sent from Cisco Technical Support iPad App
08-11-2012 04:29 PM
Sorry for the novice questions but I'm just not very familiar with Cisco.
So do you mean something like:
access-list Sub5_nat0_outbound line 1 extended permit ip any 192.168.1.0 255.255.255.0
nat (Sub5) 0 access-list Sub5_nat0_outbound tcp 0 0 udp 0
access-list Sub95_nat0_outbound line 18 extended permit ip any 192.168.4.0 255.255.255.0
What else would I need to do?
08-11-2012 04:47 PM
I am getting that NAT exempt to work and I can pass traffic but I am having issues limiting what traffic is allowed or not allowed with the ACL
08-11-2012 05:36 PM
Sorry for the post. I think I have it figured out.
So after doing the NAT Exempt and if the security levels are the same they can communicate 100% on every port and every host.
So I put in access list so Sub95 can talk to Sub5.
Basically I had to put ACL on Sub95 interface so it could talk to Sub5 (192.168.4.15) on port 25, then put a deny rule in after that going to that subnet, then put a permit rule in for any any so it can get out to the internet.
access-list Sub95_access_in extended permit tcp any host 192.168.4.15 eq smtp
access-list Sub95_access_in extended deny ip any object-group Inside_Networks
access-list Sub95_access_in extended permit ip any any
08-11-2012 10:29 PM
Yes, one ACL for NAT where you only specify the IP-traffic from Network to network. And every interface gets his own access-ACL with the specific allowed communication.
I typically write that ACL different:
access-list DMZ1-ACCESS-IN permit ... first line with permit to inside
access-list DMZ1-ACCESS-IN permit ... second line with permit to inside
access-list DMZ1-ACCESS-IN deny ip any object-group RFC1918
access-list DMZ1-ACCESS-IN permit ... here comes the permitted access to the internet
As all my actual and future inside networks are all in the RFC1918-range, I don't have to touch that deny-line when I add an additional IP-subnet to one of the inside-interfaces.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide