Avatar of farroar
farroarFlag for United States of America asked on

Cisco ASA 8.4 Syntax - inter/intra vlan setup

I am trying to get inter-vlan routing working on an ASA. I'm not up to date on 8.3+ syntax yet.

I am trying to get a device on the AV VLAN the ability to access all devices on the inside VLAN.

I created an object called KSCAPE. This is the device on the AV VLAN that needs to be accessible to all devices on the inside VLAN.

Here is what I have

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.19.130.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxx 
!
interface Vlan5
 nameif Guest
 security-level 50
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan7
 nameif AV
 security-level 75
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa846-k8.bin

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Inside_Subnet
 subnet 10.19.130.0 255.255.255.0

[b]object network KSCAPE
 host 192.168.1.240[/b]

access-list inbound extended permit icmp any any echo-reply 
access-list inbound extended permit icmp any any time-exceeded 
access-list inbound extended permit icmp any any unreachable 
access-list inbound extended permit icmp any any echo 



mtu inside 1500
mtu outside 1500
mtu Guest 1500
mtu AV 1500


nat (inside,AV) source static Inside_Subnet Inside_Subnet destination static KSCAPE KSCAPE no-proxy-arp
nat (AV,inside) source static KSCAPE KSCAPE destination static Inside_Subnet Inside_Subnet no-proxy-arp

object network obj_any
 nat (inside,outside) dynamic interface
object network AV_Subnet
 nat (AV,outside) dynamic interface

access-group AV in interface inside
access-group inbound in interface outside

Open in new window


This is just the portions I think are necessary. I think I am missing the access list but if someone can tell me if my NAT statements are right and how I should set up the access-lists to allow this to work.

Thanks
Cisco

Avatar of undefined
Last Comment
rauenpc

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
rauenpc

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
farroar

I'll give that a try. Now, I'm also new to packet tracer within the ASA. My target it 192.168.1.240. How can I confirm that the traffic is good in PT? Does the source IP address need to be valid? Or more specifically, does PT send any packets or is it just a virtualization of what would happen?
rauenpc

It's just a virtualization, but it will cause certain counters to go up. The IP's in the PT don't need to actually be an active device, but you will need to be accurate if there is a specific host rule you are matching.
For you, the PT should probably be

packet-tracer input AV tcp 192.168.1.240 55005 10.19.130.100 80

the '55005' is just a random ephemeral port, and '80' just simulates www.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck