05-31-2017 09:38 PM - last edited on 03-25-2019 04:43 PM by ciscomoderator
would like to pass traffic to ASA first before inter vlan routing at 2901 router because I would like to control vlan 2 can access vlan 3 but
not allow vlan 3 to access vlan 2
2960 vlan 2 switch 1 ---> 2960 switch 0 ---> ASA ---> 2901 router 0 --> 2960 switch 0 ---> 2960 vlan 3 switch
1.how to let vlan 2 and vlan 3 traffic out from switch 0 Gig0/2 which is vlan 1 to ASA's vlan 1 in packettracer ?
2.is it possible there another traffic to go outside of ASA which means if ip address are public address then go outside, private ip address go inside by passing through the ASA and then do intervlan routing?
updated
if above is impossible, then when I set trunk port at ASA e0/2, it can not set trunk port, how can let vlan 2 and vlan 3 default gateway to this ASA in packet tracer?
juniper can use trunk port accept different vlan traffic, how do ASA do this?
conf t
int e0/2
switchport mode trunk
switchport trunk allowed vlan 1
switchport trunk allowed vlan add 2
switchport trunk allowed vlan add 3
shut
no shut
end
ciscoasa#conf t
ciscoasa(config)#int e0/2
ciscoasa(config-if)#switchport
% Incomplete command.
ciscoasa(config-if)#switchport ?
interface mode commands/options:
access Set access mode characteristics of the interface
ciscoasa(config-if)#switchport mode
^
% Invalid input detected at '^' marker.
ASA
conf t
no dhcpd auto_config outside
no dhcpd address 192.168.1.5-192.168.1.36 inside
no dhcpd enable inside
end
conf t
int vlan 2
no ip address
end
conf t
int vlan 1
nameif inside
security 100
ip address 192.168.5.254 255.255.255.0
end
conf t
int e0/2
switchport access vlan 1
shut
no shut
end
conf t
int e0/1
switchport access vlan 1
shut
no shut
end
conf t
route inside 192.168.2.0 255.255.255.0 192.168.5.5
route inside 192.168.3.0 255.255.255.0 192.168.5.5
end
06-02-2017 11:44 AM
Hello,
Trunk mode is only available with the Security Plus License on the ASA 5505. From the looks of your screenshots, it appears packet tracer doesn't support it.
As to allow vlan 2 and vlan 3 out of the switch to the ASA, you're going to have to create a layer 3 interconnect. I would try making vlan 1 in the ASA and g0/2 on switch0 a /30 subnet.
For only one-way communication between vlan 2 and vlan 3, you can try a reflexive ACL applied on a SVI permitting established tcp connections. This article seems to do what you were looking for. https://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide