Permit traffic between two VLAN and internal network on Cisco ASA 5510

Hello,
I am fairly new with Cisco ASA 5510 and would like some help. I would like to permit traffic between internal LAN (eth0/1; sec lvl 100) and VLAN 95 (subint eth0/1.95; sec lvl 100).

Here is the following endstate that I am trying to achieve:
-Server1 can send/receive to any device on VLAN 95
-Any device on VLAN 95 can send/receive traffic to Server1

What I have done so far:
-Create the VLAN interface
-Enable DHCP relay on VLAN interface

FYI:
-Traffic between two or more interfaces which are configured with same security levels is unchecked
-Traffic between two or more hosts connected to the same interface is unchecked

I am comfortable with CLI and ADSM, so hopefully this helps with giving advice in either format.

Thanks in advance!
PhantomStrykerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
If both interfaces are in same security level configured and Traffic between two or more interfaces which are configured with same security levels , then you should able to achieve your goals

can you run the below command in your ASA CLI and paste it here

#sh run int

I am OK to have a look into your configuration thru teamviewer, if you are OK.

Thanks
PhantomStrykerAuthor Commented:
Here is the results of the "sh run int":

Awesome-ASA# sh run int
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address ###.##.##.## 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.100.0.254 255.255.0.0
!
interface Ethernet0/1.75
 description SS IP Phones
 vlan 75
 nameif SS-Phones
 security-level 100
 ip address 192.168.75.254 255.255.255.0
!
interface Ethernet0/1.95
 description HP Terminal Network
 vlan 95
 nameif SS-HPTerm
 security-level 100
 ip address 192.168.95.254 255.255.255.0
!
interface Ethernet0/2
 nameif clinic-dmz
 security-level 20
 ip address 192.168.254.1 255.255.255.0
!
interface Ethernet0/2.100
 vlan 100
 nameif guest-dmz
 security-level 10
 ip address 192.168.253.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
Pete LongTechnical ConsultantCommented:
This shouldn't work?

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.100.0.254 255.255.0.0
!
interface Ethernet0/1.75
 description SS IP Phones
 vlan 75
 nameif SS-Phones
 security-level 100
 ip address 192.168.75.254 255.255.255.0
!
interface Ethernet0/1.95
 description HP Terminal Network
 vlan 95
 nameif SS-HPTerm
 security-level 100
 ip address 192.168.95.254 255.255.255.0
!

The parent physical interface should have no config on it?

See Cisco ASA 5500 - Sub Interfaces and VLANS

Pete
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

PhantomStrykerAuthor Commented:
There is a server that is in the internal network  (10.100.X.X/16) that needs to talk/connect to all the devices in VLAN 95 and the devices on VLAN 95 need to respond back to that server.

I just need to figure out how to create the "rules" on the firewall to allow the two networks to talk to each other. for example; allow ping on both networks to see if the devices on VLAN 95 can see the host Server1 on the internal network and vice versa.
Benjamin Van DitmarsSr Network EngineerCommented:
You need to add some of the old "exempt" nat rules and make an acl's then youre all done.
and it is allowed to use the native interface of a trunk port. no problem
Pete LongTechnical ConsultantCommented:
Your missing my point

You config looks like this;

interface Ethernet0/1
nameif inside
security-level 100
ip address 10.100.0.254 255.255.0.0
!
interface Ethernet0/1.75
 description SS IP Phones
 vlan 75
 nameif SS-Phones
 security-level 100
 ip address 192.168.75.254 255.255.255.0
!
interface Ethernet0/1.95
 description HP Terminal Network
 vlan 95
 nameif SS-HPTerm
 security-level 100
 ip address 192.168.95.254 255.255.255.0
!


It should look like this


interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.1
 description Inside
 vlan 1
 nameif inside
 security-level 100
 ip address 10.100.0.254 255.255.0.0
!
interface Ethernet0/1.75
 description SS IP Phones
 vlan 75
 nameif SS-Phones
 security-level 90
 ip address 192.168.75.254 255.255.255.0
!
interface Ethernet0/1.95
 description HP Terminal Network
 vlan 95
 nameif SS-HPTerm
 security-level 90
 ip address 192.168.95.254 255.255.255.0
!

Pete
PhantomStrykerAuthor Commented:
Thanks Pete! If I make these changes will the ACL follow as well or will I have to modify the ACL to reflect the new interfaces? I ask because we use a Barracuda spam filter to relay mail to Exchange and a Barracuda web filter to proxy internet traffic.
Pete LongTechnical ConsultantCommented:
As long as the ACL is bound to an interface with the same name you wont need to change the access-lists :)

Barracuda is a swear word - spent all afternoon looking around the data centre for a Barracuda 300 finally found it and it was not plugged in bah

P
PhantomStrykerAuthor Commented:
I was able to resolve the issue by creating 2 rules on Internal interface and the subinterface (total of 4 rules). I also took Pete's advice and changed the security level on the subinterfaces. I am up and working and the traffic is good to go!

Now to tackle the Barracuda with a fork and tarter sauce!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
frankhelkCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- PhantomStryker (https:#a40911845)
-- Pete Long (https:#a40904177)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.