troubleshooting Question

Cisco ASA 8.4 Syntax - inter/intra vlan setup

Avatar of farroar
farroarFlag for United States of America asked on
Cisco
3 Comments1 Solution1481 ViewsLast Modified:
I am trying to get inter-vlan routing working on an ASA. I'm not up to date on 8.3+ syntax yet.

I am trying to get a device on the AV VLAN the ability to access all devices on the inside VLAN.

I created an object called KSCAPE. This is the device on the AV VLAN that needs to be accessible to all devices on the inside VLAN.

Here is what I have

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.19.130.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxx 
!
interface Vlan5
 nameif Guest
 security-level 50
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan7
 nameif AV
 security-level 75
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa846-k8.bin

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Inside_Subnet
 subnet 10.19.130.0 255.255.255.0

[b]object network KSCAPE
 host 192.168.1.240[/b]

access-list inbound extended permit icmp any any echo-reply 
access-list inbound extended permit icmp any any time-exceeded 
access-list inbound extended permit icmp any any unreachable 
access-list inbound extended permit icmp any any echo 



mtu inside 1500
mtu outside 1500
mtu Guest 1500
mtu AV 1500


nat (inside,AV) source static Inside_Subnet Inside_Subnet destination static KSCAPE KSCAPE no-proxy-arp
nat (AV,inside) source static KSCAPE KSCAPE destination static Inside_Subnet Inside_Subnet no-proxy-arp

object network obj_any
 nat (inside,outside) dynamic interface
object network AV_Subnet
 nat (AV,outside) dynamic interface

access-group AV in interface inside
access-group inbound in interface outside

This is just the portions I think are necessary. I think I am missing the access list but if someone can tell me if my NAT statements are right and how I should set up the access-lists to allow this to work.

Thanks
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros