02-17-2015 08:39 AM
I am experiencing a slight issue that for whatever reason I can't seem to figure out. I have 5 Vlans
Vlan 1 192.168.1.0 Network Management network
Vlan 2 192.168.2.0 PC Network
Vlan 3 192.168.3.0 Wireless Network
Vlan 4 192.168.4.0 Network 2
Vlan 250 192.168.250.0 Guest Wifi
192.168.1.2 is my management IP, 192.1681.1 is assigned to my asa5505 for all vlans to access to get out to the Internet. All but my uplink port (10) are set as access ports going to my layer 2 switch and assigned with 1 untagged vlan for that specific port ( Port 3 is on Vlan 3 for my wireless controller).
When I am on the wireless network I am able to ping users on any of the vlans. I would like to be able to do the following:
Deny 192.168.250.0 from seeing all of the vlans (Except 1 for Internet)
Deny 192.168.4.0 from seeing all of the vlans (Except 1 for Internet)
Allow 192.168.3.0 & 192.168 2.0 access to each other but not see Vlan 4 or Vlan 250.
I tried to do a ACL called Deny Guest Vlan, and created a ACE to deny Source IP 192.168.250.0 wildcard 0.0.0.0 Destination 192.168.3.0 0.0.0.0 but on the 192.168.250.0 I lost my internet access and was unable to ping 192.168.250.1
Im not sure if I am in the right area or not for denying this access. I am currently running firmware 1.0.4.88
Thank you,
Don
02-17-2015 10:13 AM
Hi
from your description it seems you are using SG300-10 as L3 routing switch and asa5505 (with IP 192.1681.1) as internet gateway is that right?
I would suggest you to do not routing on SG300 switch, but instead do it on asa5505. Reasons:
this means that:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide