Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1461
Views
15
Helpful
8
Replies

Cisco ASA 5508-X - traffic between two vlan

AKTHF
Level 1
Level 1

‎10-24-2020 12:57 AM - edited ‎10-24-2020 02:22 AM 

Hi,
On the GigabitEthernet 7 interface I have two vlans added. 7.19 and 7.18.
Vlan 7.18 - 10.10.4.0/24.
Vlan 7.19 - 10.10.1.0/24.
Vlan has DHCP added.
Vlan is added to unifi switch, ports on switch set to vlan.
Nat rules added internet output for vlan 7.18 and 7.19

Hosts connected to the switch get the address from DHCP for vlan 7.18 and 7.19

in Access Rule I added for these two vlan any ping interface world internet, and back from internet world to vlan. Everything works, I can ping the hosts to google 8.8.8.8.

I added rule any for vlan 7.18 to vlan 7.19 and vice versa, I also added hosts so they can see each other. It doesn't work for me and I don't know what to do?

I have traffic going between networks enabled.

I will be grateful for your help.
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎10-24-2020 03:43 AM

Is the VLAN belong to the same zone or interface?

do you have the below config?

 

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

 

still not working post the configuration to understand what is the issue?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AKTHF
Level 1
Level 1
In response to balaji.bandi

‎10-24-2020 06:35 AM - edited ‎10-24-2020 06:46 AM

Is the VLAN belong to the same zone or interface?

Yes

 

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I have these functions turned on

 

Configuration

!
interface GigabitEthernet1/1
shutdown
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside
security-level 100
!
interface GigabitEthernet1/3
description NETIA
nameif SWIAT
security-level 0
ip address 85.xx.xx.xx 255.255.255.248
!
interface GigabitEthernet1/4
description EdgeRouter
nameif EDGE
security-level 0
ip address 10.0.1.2 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 50
no ip address
!
interface GigabitEthernet1/7
nameif LAN_AK
security-level 100
no ip address
!
interface GigabitEthernet1/7.18
description vlan7.18
vlan 18
nameif vlan7.18
security-level 100
ip address 10.10.4.1 255.255.255.0
!
interface GigabitEthernet1/7.19
description vlan7.19
vlan 19
nameif vlan7.19
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 0
no ip address
!
interface Management1/1
description mgmt
management-only
nameif mgmt
security-level 0
no ip address
!
interface BVI1
description BVI1-10.10.2.1/24
nameif BVI1
security-level 100
ip address 10.10.2.1 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup SWIAT
dns server-group DefaultDNS
name-server 10.0.0.229
domain-name ad.audioklan.pl
dns server-group GOOGLE
name-server 8.8.8.8 BVI1
dns server-group SWIAT
name-server 208.67.222.222 SWIAT
name-server 208.67.220.220 SWIAT
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network mgmt
subnet 0.0.0.0 0.0.0.0
description mgmt
object network local-lan
subnet 10.0.0.0 255.255.255.0
description 10.0.0.0/24
object network SWITA-GATEWAY
host 85.xx.xx.xx
description Netia GTW
object network SWIAT-IP
subnet 85.128.49.0 255.255.255.0
description Swiat Netia
object network VLAN7.19
subnet 10.10.1.0 255.255.255.0
object network Test-LAN
subnet 10.10.2.0 255.255.255.0
description 10.10.2.0/24
object network DNS
host 10.10.1.5
description IP DNS
object network local-lan-AK
subnet 10.10.3.0 255.255.255.0
object network AK-local-lan
subnet 10.10.0.0 255.255.0.0
object network DNS-Google
host 8.8.8.8
description DNS-Google
object network VLAN7.19-GATEWAY
host 10.10.1.1
description VLAN7.19-GATEWAY
object network PI-TEST
host 10.10.4.5
object network VLAN7.18-GATEWAY
host 10.10.4.1
object network nt1
subnet 10.10.1.0 255.255.255.0
object network nt2
subnet 10.10.4.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object icmp echo
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp
service-object icmp echo
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_6
network-object 10.10.1.0 255.255.255.0
network-object 10.10.4.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object object DNS-Google
network-object object SWITA-GATEWAY
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq dnsix
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq dnsix
object-group protocol DM_INLINE_PROTOCOL_15
protocol-object ip
protocol-object icmp
access-list LAN_AK_access_in_3 extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list SWIAT_access_in_1 extended permit object-group DM_INLINE_SERVICE_6 any object-group DM_INLINE_NETWORK_6
access-list vlan7.19_access_in extended permit object-group DM_INLINE_PROTOCOL_4 any any
access-list LAN_AK_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list LAN_AK_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 any any
access-list vlan7.19_access_in_2 extended permit object-group DM_INLINE_PROTOCOL_15 object DNS object-group DM_INLINE_NETWORK_4 inactive
access-list vlan7.19_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 10.10.1.0 255.255.255.0 any
access-list vlan7.19_access_in_2 extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list LAN_AK_access_in_2 extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list vlan7.18_access_in extended permit object-group DM_INLINE_SERVICE_1 10.10.4.0 255.255.255.0 any
access-list vlan7.18_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu SWIAT 1500
mtu EDGE 1500
mtu LAN_AK 1500
mtu vlan7.19 1500
mtu mgmt 1500
mtu vlan7.18 1500
no failover
no monitor-interface BVI1
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (vlan7.18,SWIAT) source dynamic any interface
nat (vlan7.19,SWIAT) source dynamic any interface
access-group SWIAT_access_in_1 in interface SWIAT
access-group LAN_AK_access_in_3 in interface LAN_AK
access-group vlan7.19_access_in_2 in interface vlan7.19
access-group vlan7.18_access_in in interface vlan7.18
route SWIAT 0.0.0.0 0.0.0.0 85.xx.xx.xx 1
route EDGE 0.0.0.0 0.0.0.0 10.0.1.1 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 EDGE
http 10.0.0.0 255.255.255.0 EDGE
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 EDGE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.10.1.5-10.10.1.253 vlan7.19
dhcpd dns 8.8.8.8 interface vlan7.19
dhcpd enable vlan7.19
!
dhcpd address 10.10.2.5-10.10.2.253 BVI1
dhcpd dns 8.8.8.8 interface BVI1
dhcpd enable BVI1
!
dhcpd address 10.10.4.5-10.10.4.253 vlan7.18
dhcpd dns 8.8.8.8 interface vlan7.18
dhcpd enable vlan7.18
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
!
!
policy-map global-policy
class class-default
user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous

 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎10-25-2020 10:18 AM - edited ‎10-25-2020 12:12 PM

you have two VLAN and you want to make then talk to each other 
packet from VLAN 7.18 go to VLAN 7.19
first it will hit the ASA sub interface and ASA will NAT the VLAN to outside interface. 
then it will reback into different sub interface with source is change from VLAN 7.18 to be outside.
here the ACL from low security (which is outside) to high security (which is inside = 100). do you have such this ACL that deny this traffic? i.e. do you make the traffic initiate from outside to go to VLAN 7.19?

you can config exception NAT.

0 Helpful

AKTHF
Level 1
Level 1
In response to MHM Cisco World

‎10-25-2020 01:11 PM

How do I create NAT for a vlan locally? Currently I have NAT set up for vlan to get traffic to the world.

 

source - vlan7.18 and vlan 7.19
dest - WORLD (outside)
source - any
Destination - any
Service - any
Source - SWIAT (interface)

 

This NAT works for external communication.

MHM Cisco World
VIP
VIP
In response to AKTHF

‎10-26-2020 04:02 AM

NAT (vlan 7.18,vlan 7.19) static ip ip destination ip ip

NAT (vlan 7.19, 7.18) static ip ip destination ip ip

 

try this and send me if it work.

 

0 Helpful

AKTHF
Level 1
Level 1
In response to MHM Cisco World

‎10-26-2020 04:25 AM

I added nat for vlan7.18 to vlan7.19 and vlan7.19 to vlan7.18 - still not working

0 Helpful

MHM Cisco World
VIP
VIP
In response to AKTHF

‎10-26-2020 12:00 PM - edited ‎11-02-2020 06:04 AM

.......

0 Helpful

MHM Cisco World
VIP
VIP

‎11-02-2020 06:05 AM

Check the license, I read in some doc.  That security plus can make asa interconnect the vlan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card