Cisco ASA 8.4 Syntax - inter/intra vlan setup

I am trying to get inter-vlan routing working on an ASA. I'm not up to date on 8.3+ syntax yet.

I am trying to get a device on the AV VLAN the ability to access all devices on the inside VLAN.

I created an object called KSCAPE. This is the device on the AV VLAN that needs to be accessible to all devices on the inside VLAN.

Here is what I have

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.19.130.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxx 
!
interface Vlan5
 nameif Guest
 security-level 50
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan7
 nameif AV
 security-level 75
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa846-k8.bin

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Inside_Subnet
 subnet 10.19.130.0 255.255.255.0

[b]object network KSCAPE
 host 192.168.1.240[/b]

access-list inbound extended permit icmp any any echo-reply 
access-list inbound extended permit icmp any any time-exceeded 
access-list inbound extended permit icmp any any unreachable 
access-list inbound extended permit icmp any any echo 



mtu inside 1500
mtu outside 1500
mtu Guest 1500
mtu AV 1500


nat (inside,AV) source static Inside_Subnet Inside_Subnet destination static KSCAPE KSCAPE no-proxy-arp
nat (AV,inside) source static KSCAPE KSCAPE destination static Inside_Subnet Inside_Subnet no-proxy-arp

object network obj_any
 nat (inside,outside) dynamic interface
object network AV_Subnet
 nat (AV,outside) dynamic interface

access-group AV in interface inside
access-group inbound in interface outside

Open in new window


This is just the portions I think are necessary. I think I am missing the access list but if someone can tell me if my NAT statements are right and how I should set up the access-lists to allow this to work.

Thanks
farroarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
The NAT portion looks OK. You should only need to apply an access list on the inbound side of the AV VLAN to permit traffic.

access-list AV extended permit ip object KSCAPE object Inside_Subnet
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
farroarAuthor Commented:
I'll give that a try. Now, I'm also new to packet tracer within the ASA. My target it 192.168.1.240. How can I confirm that the traffic is good in PT? Does the source IP address need to be valid? Or more specifically, does PT send any packets or is it just a virtualization of what would happen?
0
rauenpcCommented:
It's just a virtualization, but it will cause certain counters to go up. The IP's in the PT don't need to actually be an active device, but you will need to be accurate if there is a specific host rule you are matching.
For you, the PT should probably be

packet-tracer input AV tcp 192.168.1.240 55005 10.19.130.100 80

the '55005' is just a random ephemeral port, and '80' just simulates www.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.