Cisco ASA 8.4 Syntax - inter/intra vlan setup
I am trying to get inter-vlan routing working on an ASA. I'm not up to date on 8.3+ syntax yet.
I am trying to get a device on the AV VLAN the ability to access all devices on the inside VLAN.
I created an object called KSCAPE. This is the device on the AV VLAN that needs to be accessible to all devices on the inside VLAN.
Here is what I have
This is just the portions I think are necessary. I think I am missing the access list but if someone can tell me if my NAT statements are right and how I should set up the access-lists to allow this to work.
Thanks
I am trying to get a device on the AV VLAN the ability to access all devices on the inside VLAN.
I created an object called KSCAPE. This is the device on the AV VLAN that needs to be accessible to all devices on the inside VLAN.
Here is what I have
interface Vlan1
nameif inside
security-level 100
ip address 10.19.130.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxxxxxx
!
interface Vlan5
nameif Guest
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Vlan7
nameif AV
security-level 75
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa846-k8.bin
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Subnet
subnet 10.19.130.0 255.255.255.0
[b]object network KSCAPE
host 192.168.1.240[/b]
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo
mtu inside 1500
mtu outside 1500
mtu Guest 1500
mtu AV 1500
nat (inside,AV) source static Inside_Subnet Inside_Subnet destination static KSCAPE KSCAPE no-proxy-arp
nat (AV,inside) source static KSCAPE KSCAPE destination static Inside_Subnet Inside_Subnet no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
object network AV_Subnet
nat (AV,outside) dynamic interface
access-group AV in interface inside
access-group inbound in interface outside
This is just the portions I think are necessary. I think I am missing the access list but if someone can tell me if my NAT statements are right and how I should set up the access-lists to allow this to work.
Thanks
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
It's just a virtualization, but it will cause certain counters to go up. The IP's in the PT don't need to actually be an active device, but you will need to be accurate if there is a specific host rule you are matching.
For you, the PT should probably be
packet-tracer input AV tcp 192.168.1.240 55005 10.19.130.100 80
the '55005' is just a random ephemeral port, and '80' just simulates www.
For you, the PT should probably be
packet-tracer input AV tcp 192.168.1.240 55005 10.19.130.100 80
the '55005' is just a random ephemeral port, and '80' just simulates www.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER