Dear Balaji,

Can you please help me with below two points as how can we create acl to allow full communication b/w vlans.

Also in L3 switch we have command of enable ip route to allow inter vlan communication is it possible to do the same on ASA 5525

1>Configure interface ACLs to allow and/or block the required traffic. 

2>You can create a sub-interface with security levels.

If all the sub-interfaces on the ASA are the same security level then you can apply the global command 'same-security-traffic permit inter-interface'.  This will allow the ASA to simply route between the networks of the same security level.  If you apply different security levels you will need to write ACLs permitting your traffic.  These could be as simple as 'permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0'.

However if that is your requirement and you already have a L3 switch I would leave the routing there and only route traffic to the firewall that is going outside of your 'domain'.  The firewall won't have the same forwarding performance as the L3 switch.

Andy

Hi Andrew,

As we have already multiple sub interfaces on firewall can you please let me know how can i enable allowed vlan all in between ASA & switch .

In cisco switches we have feature switch port mode trunk allowed vlan all please let me know how we can enable this feature on firewall also.??

So all the vlan can transfer in b/w ASA & switch.

Also please let me know the command to create new vlan in ASA 5525

 ASA1#
 ASA1# sh run int
 ASA1# sh run int GigabitEthernet0/1.70
!
interface GigabitEthernet0/1.70
 vlan 70
 nameif VOIP
 security-level 100
 ip address 172.16.xx.xx 255.255.xx.xx

 ASA1# sh run int GigabitEthernet0/1.100
!
interface GigabitEthernet0/1.100
 vlan 100
 nameif inside
 security-level 100
 ip address 10.85.xx.xx 255.255.xx.xx
 ASA1#

here is example config.

Switch side
============
BB(config)#int fa0/0  - change the interface where your ASA connected.
BB(config-if)#switchport
BB(config-if)#switchport trunk encapsulation dot1q
BB(config-if)#switch trunk allowed vlan 70,100 - as per your example it will allow 70 and 100 VLAN here
BB(config-if)#swtichport mode trunk
BB(config-if)#no shut

ASA Side:
=========
config t
!
int e0/1
no ip address
no security-level
no nameif inside
!
interface GigabitEthernet0/1.70
vlan 70
nameif VOIP
security-level 100
ip address 172.16.xx.xx 255.255.xx.xx
!
interface GigabitEthernet0/1.100
vlan 100
nameif inside
security-level 100
ip address 10.85.xx.xx 255.255.xx.xx

Dear Bala JI,

Please let me know is there any command on asa 5525 to enable trunk to allow all vlans.??

what is the Code you running in ASA ? most of the code below config should work, if not what is the error you getting and post the configuration.

This config allow all the VLAN.

Int  gi 0/1  
no ip address
no security-level
no nameif inside

and map sub-interface for vlan mapping as per last config.

Dear Bala ji,

I am going to run below code is this work to pass all the three vlan by sub interfaces & allow the inter vlan communication.

nterface GigabitEthernet0/1.70
vlan 70
nameif VOIP
security-level 100
ip address 172.16.xx.xx 255.255.xx.xx
!
interface GigabitEthernet0/1.100
vlan 100
nameif inside
security-level 100
ip address 10.85.xx.xx 255.255.xx.xx

 interface GigabitEthernet0/1.110
vlan 110
nameif inside
security-level 100
ip address 192.60.xx.xx 255.255.xx.xx

!

same-security-traffic permit inter-interface

test and let me know, bare in mind you need to add additional vlan trunk allowed list

switch trunk allowed vlan 70,100, 110 switch side