asked on

route between interfaces in ASA 5505

I have an ASA 5505 with a VLAN attached to interface E0/1 and a different VLAN attached to interface E0/2. Like so,

interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Vlan1
nameif DMZ
security-level 100
ip address 66.192.1.1 255.255.255.192
!
interface Vlan3
nameif Clean
security-level 100
ip address 66.192.1.65 255.255.255.192
!
My understanding was that these VLANs would route all traffic between them by default, if they had identical security levels, and would I would need to limit that, but I get no traffic between them. Even though traffic to the outside interface and Internet works fine from either VLAN. Not sure where to look for this. Anyone had a need to do this and have some ideas? Thanks

ITHD

By default traffic are not permitted between identical security levels. Try this:

same-security-traffic permit inter-interface
access-list DMZ extended permit ip 66.192.1.0 255.255.255.192 any
access-list Clean extended permit ip 66.192.1.64 255.255.255.192 any

SIDESHOWBLAH

ASKER

Thanks for note. That does not seem to have changed anything , at least that I can see. One thing I did notice looking at this over teh weekend was that there is a NAT statement for each inside VLAN, which if removed my access to the Internet stops working. I am not using any private IPs, so not sure why I would need to NAT anything.
If I look at the access-list log after attempting to pass traffic between these 2 VLANs, I do not see anything being logged. So it almost like nothing is being routed, but I cannot see why.

ASKER CERTIFIED SOLUTION

Benjamin Van Ditmars

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial