Solved

security levels and Vlans

Posted on 2014-12-11
4
53 Views
Last Modified: 2015-03-13
We have a number of Vlans with different security levels.  When all the Vlans are set with the same security level on our ASA 5545, the Vlans can communicate.

When i change the Vlans to different security levels, they cannot communicate.  

Is there a command i can use to enable this?
0
Comment
Question by:beckredder
  • 2
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
Yes, you need to create an access list for the higher vlan which allows traffic to the lower vlan.

access-list dmz extended permit tcp 192.168.1.0 255.255.255.0 host 172.16.31.43 range 1433 1434

where dmz has subnet 192.168.1.0/24 and has a security level higher than 172.16.31.43.
0
 

Author Comment

by:beckredder
Comment Utility
without any rules other than the implicit deny for interfaces accessing higher from lower shouldn't hosts in the higher vlan be able to access hosts in the lower vlan?

I add a rule between the two hosts allowing access from the lower to the higher and I then can ping both ways.  Remove the rule and I cannot ping.

How do I configure it so that only the higher vlan is able to ping the lower vlan?

Its like ICMP traffic isn't allowed to make the round trip without the rule in place.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
oh gosh, yes, I had that backwards.  what does packet-tracer show?

packet-tracer input ZONE PROTO ORIGIN_IP 65535 DEST_IP DEST_PORT

i.e.,

packet-tracer input inside tcp 172.16.31.43 65535 192.168.1.34 eq 1433 detail
0
 

Author Comment

by:beckredder
Comment Utility
I've requested that this question be deleted for the following reason:

wrong question
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now