Link to home
Create AccountLog in
Avatar of etonnemacher
etonnemacherFlag for United States of America

asked on

VLAN

Hi People - I would like to separate 3 networks from each other to reduce traffic on our LAN - I have an ASA5505 restricted (2 vlans max) and an ASA5505 unrestricted as well as an 8 port vlan capable switch  - I've done this using routers with multiple blades but the vlan "routing" seems to be giving me a hard time. I'm assuming the switch needs to be connected to a vlan on one of the asa's to access the internet and communicate inter vlan? I'm not seeing how to route traffic between vlans on the asa - I could buy 3 routers and do it but that seems archaic! Thanks!
Avatar of billwharton
billwharton

all you need is on this particular URL - you would need a cisco id to access this page. if you don't have one, go to cisco.com and click on the register link at the top right

http://www.cisco.com/en/US/partner/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html
hey i am thinking of subinterfaces here. i remember encountering some limitations with the vlans on a cisco asa 5505, but you need 3 networks and i was working with 5 to be exact and had limited hardware. eventually i did the router on a stick scenario to run from the headache. cisco has some information regarding the vlans and subinterfaces on the link i provided below. hope this helps.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wpxref28961
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html#wpxref44915
Avatar of etonnemacher

ASKER

Hi BIll - my Cisco CCO doesn't allow me to access that area - I don't appear to have credential levels necessary - I've tried getting access in the past and it never seems to work out - Is there somewhere else I can get at that document? Thanks
Hi Chow8400 - I'm looking the subinterface thing over - I'll have to do a couple of tests, I'll post back asap - thanks
Never mind. Chow posted the same url i previously did but his has public access so just use that and you should be good
Sorry people - I've been a little slammed and have not had time to address this - I'll be back at my desk early next week - thanks
HI guys - I think I need to change my question a little - I have the vlans setup and functioning. What I can't seem to get working is getting from vlan3 to vlan1 - they are set at the same security level and vlan 1 can access vlan3 - vlan1 is the route out of our network to the internet. I'm thinking a nat command is in order but I don't see why it would be unless it needs to look like a vlan1 address to traverse that interface?

Thanks
Correction -clients on vlan 1 and vlan 3 cannot communicate - only the asa device can communicate (ping) between vlans - thanks
ASKER CERTIFIED SOLUTION
Avatar of chow8400
chow8400
Flag of Saint Lucia image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Hi Chow8400 - The asa 5505 doesn't do subinterfaces according to the manual - So the only way to allow traffic to pass from vlan 3 to vlan 1 is to trunk them together? I've never seen any other equip trunking play well with cisco trunking.

Basically I have a network vlan for wireless / media (vlan3) its gateway is the vlan 3 port on the assa 5505

everything communicates on each vlan respectively i.e vlan 3 devices can communicate with other vlan 3 devices but not with vlan 1 devices, the same is true for vlan 1 - vlan devices communicate with vlan1 devices but not with vlan 3 devices - router on a stick is starting to look pretty good! I can't believe the asa can't do this! I'll start reading over the other doc's you sent and see if anything hits - thanks
This what the log shows

No translation group found for udp src name:x.x.x.x
Hi Chow - I'm getting there! The links provided were helpful, thanks. I'll repost another question as this could go on forever! Thanks
hey dude, sorry about that, i've been so busy and off the internet for a while, i hope everything did work out in the long run for you and if anything you can always send an email...