Cisco ASA 8.4 Syntax - inter/intra vlan setup

Posted on 2013-08-29
Medium Priority
Last Modified: 2013-09-03
I am trying to get inter-vlan routing working on an ASA. I'm not up to date on 8.3+ syntax yet.

I am trying to get a device on the AV VLAN the ability to access all devices on the inside VLAN.

I created an object called KSCAPE. This is the device on the AV VLAN that needs to be accessible to all devices on the inside VLAN.

Here is what I have

interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxx 
interface Vlan5
 nameif Guest
 security-level 50
 ip address 
interface Vlan7
 nameif AV
 security-level 75
 ip address 
boot system disk0:/asa846-k8.bin

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
object network Inside_Subnet

[b]object network KSCAPE

access-list inbound extended permit icmp any any echo-reply 
access-list inbound extended permit icmp any any time-exceeded 
access-list inbound extended permit icmp any any unreachable 
access-list inbound extended permit icmp any any echo 

mtu inside 1500
mtu outside 1500
mtu Guest 1500
mtu AV 1500

nat (inside,AV) source static Inside_Subnet Inside_Subnet destination static KSCAPE KSCAPE no-proxy-arp
nat (AV,inside) source static KSCAPE KSCAPE destination static Inside_Subnet Inside_Subnet no-proxy-arp

object network obj_any
 nat (inside,outside) dynamic interface
object network AV_Subnet
 nat (AV,outside) dynamic interface

access-group AV in interface inside
access-group inbound in interface outside

Open in new window

This is just the portions I think are necessary. I think I am missing the access list but if someone can tell me if my NAT statements are right and how I should set up the access-lists to allow this to work.

Question by:farroar
  • 2
LVL 20

Accepted Solution

rauenpc earned 2000 total points
ID: 39452327
The NAT portion looks OK. You should only need to apply an access list on the inbound side of the AV VLAN to permit traffic.

access-list AV extended permit ip object KSCAPE object Inside_Subnet

Author Comment

ID: 39453289
I'll give that a try. Now, I'm also new to packet tracer within the ASA. My target it How can I confirm that the traffic is good in PT? Does the source IP address need to be valid? Or more specifically, does PT send any packets or is it just a virtualization of what would happen?
LVL 20

Expert Comment

ID: 39453317
It's just a virtualization, but it will cause certain counters to go up. The IP's in the PT don't need to actually be an active device, but you will need to be accurate if there is a specific host rule you are matching.
For you, the PT should probably be

packet-tracer input AV tcp 55005 80

the '55005' is just a random ephemeral port, and '80' just simulates www.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question