• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Cisco ASA allowing traffic between VLAN's


Trying to get specific traffic to flow between VLANs on a 5505.  Basically I have 3 networks: Internet, VLAN 1 and VLAN 2.  VLAN 1 is where all of our servers are and VLAN is where all of our RDP workstations are.  We only want to allow certain traffic to go from VLAN 2 to VLAN 1 (such as RDP, telnet, etc) .  All traffic can go from VLAN 1 to VLAN 2.  Both VLAN1 and 2 can access the internet.  

Any thoughts?

  • 2
1 Solution
Pete LongTechnical ConsultantCommented:
First make sure you have a security plus license.
Cisco ASA 5505 Routing Between Two (Internal) VLANS
ClearBlueTechnologiesAuthor Commented:
Yes, it has a security plus license.

Thanks for the example!  Is there a difference in the config if you want to allow traffic from two vlans that have difference security levels?  In my situation I need to allow the VLAN2 (security 50) access to VLAN1 (security 100) over specific ports (RDP, Telnet, etc).
Pete LongTechnical ConsultantCommented:
To go from a less secure to a more secure interface you simply need to allow the traffic with an ACL (if your os is older than 8.4 you also need a nat statement).

Feroz AhmedSenior Network EngineerCommented:

In your question you have mentioned clearly stating you have only 3 Networks i.e Internet,VLAN1 and VLAN2 what about VLAN where your RDP workstations are present ,did you define VLAN in ASA if so where is VLAN present is it outside or Inside and where is VLAN1 and VLAN2 present in your network inside or outside .
Supposing ne of the VLAN is inside the network then the command is as below :

ASA(config-t)#access-list 101 permit icmp any any (Once you give this command you can directly ping to outside network )
ASA(config-t)#Access-list 101 permit ip any any echo reply (Once you give this command you can directly ping from outside network to Inside network).

Supposing if you want VLANs to access certain traffic such as RDP or Telnet then one can configure VLANs in such a way that is shown below :

VLAN1#switchport access vlan1
Vlan1#int fa01
vlan1#access-list 101 permit ip any any
VLAN1#access-group 101 in interface
VLAN1# No shut

In the similar way one can configure which interface on VLAN1 and VLAN2 should interact in order to share the same information.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now