Avatar of farroar
farroarFlag for United States of America

asked on 

Cisco ASA 8.4 Syntax - inter/intra vlan setup

I am trying to get inter-vlan routing working on an ASA. I'm not up to date on 8.3+ syntax yet.

I am trying to get a device on the AV VLAN the ability to access all devices on the inside VLAN.

I created an object called KSCAPE. This is the device on the AV VLAN that needs to be accessible to all devices on the inside VLAN.

Here is what I have

interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxx 
interface Vlan5
 nameif Guest
 security-level 50
 ip address 
interface Vlan7
 nameif AV
 security-level 75
 ip address 
boot system disk0:/asa846-k8.bin

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
object network Inside_Subnet

[b]object network KSCAPE

access-list inbound extended permit icmp any any echo-reply 
access-list inbound extended permit icmp any any time-exceeded 
access-list inbound extended permit icmp any any unreachable 
access-list inbound extended permit icmp any any echo 

mtu inside 1500
mtu outside 1500
mtu Guest 1500
mtu AV 1500

nat (inside,AV) source static Inside_Subnet Inside_Subnet destination static KSCAPE KSCAPE no-proxy-arp
nat (AV,inside) source static KSCAPE KSCAPE destination static Inside_Subnet Inside_Subnet no-proxy-arp

object network obj_any
 nat (inside,outside) dynamic interface
object network AV_Subnet
 nat (AV,outside) dynamic interface

access-group AV in interface inside
access-group inbound in interface outside

Open in new window

This is just the portions I think are necessary. I think I am missing the access list but if someone can tell me if my NAT statements are right and how I should set up the access-lists to allow this to work.


Avatar of undefined
Last Comment
Avatar of rauenpc
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of farroar
Flag of United States of America image


I'll give that a try. Now, I'm also new to packet tracer within the ASA. My target it How can I confirm that the traffic is good in PT? Does the source IP address need to be valid? Or more specifically, does PT send any packets or is it just a virtualization of what would happen?
Avatar of rauenpc
Flag of United States of America image

It's just a virtualization, but it will cause certain counters to go up. The IP's in the PT don't need to actually be an active device, but you will need to be accurate if there is a specific host rule you are matching.
For you, the PT should probably be

packet-tracer input AV tcp 55005 80

the '55005' is just a random ephemeral port, and '80' just simulates www.

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo