Solved

Cisco ASA allowing traffic between VLAN's

Posted on 2014-12-17
4
198 Views
Last Modified: 2015-04-16
Hello,

Trying to get specific traffic to flow between VLANs on a 5505.  Basically I have 3 networks: Internet, VLAN 1 and VLAN 2.  VLAN 1 is where all of our servers are and VLAN is where all of our RDP workstations are.  We only want to allow certain traffic to go from VLAN 2 to VLAN 1 (such as RDP, telnet, etc) .  All traffic can go from VLAN 1 to VLAN 2.  Both VLAN1 and 2 can access the internet.  

Any thoughts?

Thanks,
Mike
0
Comment
Question by:ClearBlueTechnologies
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
First make sure you have a security plus license.
Cisco ASA 5505 Routing Between Two (Internal) VLANS
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
Comment Utility
Yes, it has a security plus license.

Thanks for the example!  Is there a difference in the config if you want to allow traffic from two vlans that have difference security levels?  In my situation I need to allow the VLAN2 (security 50) access to VLAN1 (security 100) over specific ports (RDP, Telnet, etc).
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
To go from a less secure to a more secure interface you simply need to allow the traffic with an ACL (if your os is older than 8.4 you also need a nat statement).

P
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 500 total points
Comment Utility
Hi,

In your question you have mentioned clearly stating you have only 3 Networks i.e Internet,VLAN1 and VLAN2 what about VLAN where your RDP workstations are present ,did you define VLAN in ASA if so where is VLAN present is it outside or Inside and where is VLAN1 and VLAN2 present in your network inside or outside .
Supposing ne of the VLAN is inside the network then the command is as below :

ASA(config-t)#access-list 101 permit icmp any any (Once you give this command you can directly ping to outside network )
ASA(config-t)#Access-list 101 permit ip any any echo reply (Once you give this command you can directly ping from outside network to Inside network).

Supposing if you want VLANs to access certain traffic such as RDP or Telnet then one can configure VLANs in such a way that is shown below :

VLAN1#switchport access vlan1
Vlan1#int fa01
vlan1#access-list 101 permit ip any any
VLAN1#access-group 101 in interface
VLAN1# No shut

In the similar way one can configure which interface on VLAN1 and VLAN2 should interact in order to share the same information.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now