Cisco ASA allowing traffic between VLAN's

Hello,

Trying to get specific traffic to flow between VLANs on a 5505.  Basically I have 3 networks: Internet, VLAN 1 and VLAN 2.  VLAN 1 is where all of our servers are and VLAN is where all of our RDP workstations are.  We only want to allow certain traffic to go from VLAN 2 to VLAN 1 (such as RDP, telnet, etc) .  All traffic can go from VLAN 1 to VLAN 2.  Both VLAN1 and 2 can access the internet.  

Any thoughts?

Thanks,
Mike
LVL 1
ClearBlueTechnologiesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
First make sure you have a security plus license.
Cisco ASA 5505 Routing Between Two (Internal) VLANS
0
ClearBlueTechnologiesAuthor Commented:
Yes, it has a security plus license.

Thanks for the example!  Is there a difference in the config if you want to allow traffic from two vlans that have difference security levels?  In my situation I need to allow the VLAN2 (security 50) access to VLAN1 (security 100) over specific ports (RDP, Telnet, etc).
0
Pete LongTechnical ConsultantCommented:
To go from a less secure to a more secure interface you simply need to allow the traffic with an ACL (if your os is older than 8.4 you also need a nat statement).

P
0
Feroz AhmedSenior Network EngineerCommented:
Hi,

In your question you have mentioned clearly stating you have only 3 Networks i.e Internet,VLAN1 and VLAN2 what about VLAN where your RDP workstations are present ,did you define VLAN in ASA if so where is VLAN present is it outside or Inside and where is VLAN1 and VLAN2 present in your network inside or outside .
Supposing ne of the VLAN is inside the network then the command is as below :

ASA(config-t)#access-list 101 permit icmp any any (Once you give this command you can directly ping to outside network )
ASA(config-t)#Access-list 101 permit ip any any echo reply (Once you give this command you can directly ping from outside network to Inside network).

Supposing if you want VLANs to access certain traffic such as RDP or Telnet then one can configure VLANs in such a way that is shown below :

VLAN1#switchport access vlan1
Vlan1#int fa01
vlan1#access-list 101 permit ip any any
VLAN1#access-group 101 in interface
VLAN1# No shut

In the similar way one can configure which interface on VLAN1 and VLAN2 should interact in order to share the same information.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.