Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3172
Views
0
Helpful
4
Replies

Inter VLAN Routing on ASA 5506

Charger1129
Level 1
Level 1

‎10-18-2015 11:45 AM - edited ‎03-08-2019 02:16 AM

Hi. I have an ASA 5506 with 3 internal VLANs on it. I need to prevent the VLANs from talking to each other but, allow a few specific IP addresses through from the main VLAN to the other 2. 

Example:

VLAN 20

  • nameif inside1
  • IP address to allow to other VLANs - 10.10.100.10

VLAN 30

  • nameif inside2
  • traffic should be allowed to only speak to IP 10.10.100.10 from VLAN 20

VLAN 40

  • nameif inside3
  • traffic should be allowed to only speak to IP 10.10.100.10 from VLAN 20

 

I know this command will allow all traffic between VLANs, but I'm not sure if I should then create deny rules to only allow the 1 IP address through or if I need to remove this command and do it a different way. Any suggestions on the correct commands would be greatly appreciated. 

Labels:
0 Helpful
4 Replies 4

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎10-19-2015 08:10 AM 

Hi. I have an ASA 5506 with 3 internal VLANs on it. I need to prevent the VLANs from talking to each other but, allow a few specific IP addresses through from the main VLAN to the other 2. 

Example:

VLAN 20
  • nameif inside1
  • IP address to allow to other VLANs - 10.10.100.10
VLAN 30
  • nameif inside2
  • traffic should be allowed to only speak to IP 10.10.100.10 from VLAN 20
VLAN 40
  • nameif inside3
  • traffic should be allowed to only speak to IP 10.10.100.10 from VLAN 20


I know this command will allow all traffic between VLANs, but I'm not sure if I should then create deny rules to only allow the 1 IP address through or if I need to remove this command and do it a different way. Any suggestions on the correct commands would be greatly appreciated.

Hi,

You can apply ACL on each interface in direction for the above said requirement. I hope all VLANS gateway are ASA interface.

Check out the below link for more information on how to apply ACL in ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_nw.html

Hope it Helps..

-GI

Rate if it Helps..

0 Helpful

Charger1129
Level 1
Level 1
In response to Ganesh Hariharan

‎10-27-2015 01:25 PM

Figured it out on my end. I was able to establish ACL's to do the necessary blocks, but also forgot to add the ACL to appropriate interface (nameif). Once that was applied all was working. 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Charger1129

‎10-27-2015 01:36 PM

Thanks for posting back to the forum to tell us that you have figured out the solution to your own problem. Applying the ACL to the interface is one of those things that is easy to forget and this could be a good lesson for many of us.

 

HTH

 

Rick

HTH

Rick
0 Helpful

piyush.dhupia
Level 1
Level 1

‎10-19-2015 10:50 PM

0 Helpful
Customers Also Viewed These Support Documents