If I understand you right,

P Y · ‎03-20-2015

I have an ASA that is supporting my guest internet access. It is supposed to be separated as much as possible. Right now, i have a VLAN (named 200) setup on my switches with no SVI, so traffic cannot escape that vlan.

On my ASA, one interface is on this 200 VLAN as the default gateway for clients in that VLAN. This is the "inside" port of the ASA,and the other interface is the "outside" interface for my ISP. What i would like to do is add a third VLAN so that i can manage this device on my normal network (outside of the 200 vlan). I know that with the base license i can only have two interfaces that can route to each other. I also know that there can be a third interface as long as you set up the "no forward interface" command, so that it can only communicate with one of the other two interfaces. What i would like is for this third vlan not have access to either of the other two interfaces. Is this possible?

I have tried to add two no forward interface commands, but that doesnt work. Any other ideas?

Thanks.

Jon Marshall · ‎03-20-2015

Patrick

Just use acls to not allow traffic from the other vlans to that vlan.

Or do you mean the actual interfaces on the ASA ?

If so no you can't really stop that but I can't see why you would need to ?

Jon

P Y · ‎03-20-2015

I just want to make sure any traffic on the new interface (lets call it VLAN73) cannot get out to either of the other two interfaces (VLAN2 or VLAN200). Also i want to make sure that traffic from the current interfaces (VLAN2 and VLAN200) cannot get to the new interface (VLAN73) under any circumstances.

So it is basically a separate interface that is used for management only.

Jon Marshall · ‎03-20-2015

Still not sure what the issue is.

When you say traffic do you mean traffic from clients ?

I which case just use acls ?

Jon

Karsten Iwen · ‎03-21-2015

If I understand you right, you are looking for the interface-feature management-only

ASA - No Forward