Cisco ASA 8.4 Syntax - inter/intra vlan setup

farroar used Ask the Experts™
I am trying to get inter-vlan routing working on an ASA. I'm not up to date on 8.3+ syntax yet.

I am trying to get a device on the AV VLAN the ability to access all devices on the inside VLAN.

I created an object called KSCAPE. This is the device on the AV VLAN that needs to be accessible to all devices on the inside VLAN.

Here is what I have

interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxx 
interface Vlan5
 nameif Guest
 security-level 50
 ip address 
interface Vlan7
 nameif AV
 security-level 75
 ip address 
boot system disk0:/asa846-k8.bin

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
object network Inside_Subnet

[b]object network KSCAPE

access-list inbound extended permit icmp any any echo-reply 
access-list inbound extended permit icmp any any time-exceeded 
access-list inbound extended permit icmp any any unreachable 
access-list inbound extended permit icmp any any echo 

mtu inside 1500
mtu outside 1500
mtu Guest 1500
mtu AV 1500

nat (inside,AV) source static Inside_Subnet Inside_Subnet destination static KSCAPE KSCAPE no-proxy-arp
nat (AV,inside) source static KSCAPE KSCAPE destination static Inside_Subnet Inside_Subnet no-proxy-arp

object network obj_any
 nat (inside,outside) dynamic interface
object network AV_Subnet
 nat (AV,outside) dynamic interface

access-group AV in interface inside
access-group inbound in interface outside

Open in new window

This is just the portions I think are necessary. I think I am missing the access list but if someone can tell me if my NAT statements are right and how I should set up the access-lists to allow this to work.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The NAT portion looks OK. You should only need to apply an access list on the inbound side of the AV VLAN to permit traffic.

access-list AV extended permit ip object KSCAPE object Inside_Subnet


I'll give that a try. Now, I'm also new to packet tracer within the ASA. My target it How can I confirm that the traffic is good in PT? Does the source IP address need to be valid? Or more specifically, does PT send any packets or is it just a virtualization of what would happen?

It's just a virtualization, but it will cause certain counters to go up. The IP's in the PT don't need to actually be an active device, but you will need to be accurate if there is a specific host rule you are matching.
For you, the PT should probably be

packet-tracer input AV tcp 55005 80

the '55005' is just a random ephemeral port, and '80' just simulates www.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial