thank you Jouni, we have setup our interfaces like this,

interface Ethernet0/0

nameif ext

security-level 0

ip address 168.129.136.16 255.255.255.0

!

interface Ethernet0/1

nameif int

security-level 100

ip address 172.21.191.254 255.255.0.0

!

interface Ethernet0/1.1

description Guest Wifi access

vlan 10

nameif GUEST_WIFI

security-level 1

ip address 172.17.10.1 255.255.255.0

!

interface Ethernet0/1.30

description  VOIP Phone

vlan 30

nameif Voice_LAN

security-level 100

ip address 172.17.30.1 255.255.255.0

do you think we still need to setup e0/0 as trunk?

Hi,

Not really, the above configuration I mentioned was just an example on how the Trunk is configured.

You seem to use the actual physical interface also for some network. I guess it might be the network on your default Vlan1?

Usually the actual physical interface if left without any configuration other than related to the speed/duplex/description perhaps. All the subinterface usually act as the gateways for the different Vlans.

- Jouni

so my routing statement will look like this?

nat ( voice_LAN.int)172.17.30.0 172.17.30.0

is this right? also I do not want this traffic to go to internet.

Hi,

The format of that command doesnt look right.

If you mean the command "nat" then that is used to determine source addresses for Dynamic NAT and Dynamic PAT translations.

If you want to configure Static Identity NAT between different interface then I guess it would be something like this between "int" and "Voice_LAN"

static (int,Voice_LAN) 172.21.0.0 172.21.0.0 netmask 255.255.0.0

This is ofcourse only for the network 172.21.0.0/16. I am not sure if you had some other ranges behind the "int"

The NAT configurations also depend on your software. The above example is for software versions 8.2 and below. Software versions 8.3 and above use a completely different format.

- Jouni

so I need only one way static nat? or do I need two way static nat?

Hi,

You should only need one "static" command.

But we can't see your NAT setup at the moment or dont know the software version so can't really say anything for sure.

As I said, if you have software version 8.2 or below then the above command will work. If you have 8.3 or above then it wont work as the NAT was completely redone in 8.3 software.

- Jouni

software version 8.4 (4) 9          

this is my nat look  like from show run

nat (Voice_LAN,int) source static Voice_LAN Voice_LAN destination static Int_net Int_net

is this right?

Hi,

That is for the 8.3+ software levels.

Though in 8.3+ software levels you dont really need to configure NAT between the local network interfaces as it just makes the whole setup more complicated.

Ideally you should NOT have ANY NAT configurations between your local interface. Typically you would only need NAT configurations from your LAN/DMZ interfaces towards the WAN interface of the ASA. Configurations like Dynamic PAT and NAT0 configurations. Its usually simpler to have no NAT configuration at all between the local interfaces.

- Jouni

so how I can passed all traffic from Voice_VLAN to Int Interface? cause I have setup all necessary server int this  side. do you think i need to setup access list?