Cisco Firewall :: ASA5525x - Restrict Inter-vlan Traffic
Jan 11, 2013
I have a customer, who has the SVI's configured on the Core (4500x) and this is connected to a ASA 5525x, there is a requirement of restricting traffic between different vlans. How can i use the ASA to accomplish this task. ACLs on the Switch are not stateful and hence not considering this option, Also we are not planning to configure the GW's on the ASA since there is lot of traffic between the vlan's and this will become a bottleneck
View 4 Replies
ADVERTISEMENT
May 9, 2011
I just received my rv220w and perhaps I haven't got enough experience with cisco routers. How can I restrict traffic between different VLANs?
For example: Hosts in one VLAN shall only be allowed to access a web server in another VLAN. All other traffic should be blocked. I've created two VLAN with Inter VLAN Routing enabled. But it seems there's no way to install a firewall rule between VLANs.
View 12 Replies
View Related
Oct 21, 2011
i am doing a set-up having the ASA as my Layer 3 device providing inter-vlan communication. ASA with 8.3 firmware. how i can achieve this goal. i am trying to follow some answered topic related to this but its pre 8.3. VLANs created on the same physical have same security level.
View 2 Replies
View Related
Jul 8, 2012
Ive been readin all over the internet (including this site) trying to figure out if the asa can handle intervlan routing. Im not sure what I am missing on my config to get this to work. Ive read that it can work and Ive read that it cant work. How to get this to work on my asa 5505.
Here is my setup
Cable Modem ---> ASA (eth0/0)
(eth0/2) -->unmanaged switch for LAN connectivity
(eth0/3) --> Access point for wireless LAN connectivty
My config is attached
What I would like to do is be able to communicate between vlan3(LAN) and vlan4(Wireless LAN)
Whats strange is I can RDP between the two vlans but I cant ping or anything else.
View 20 Replies
View Related
Jul 31, 2011
We use Cisco Any connect with a Cisco ASA 5520 firewall. Today I changed the inside interface of the firewall's IP because i needed to do some inter vlan routing and needed to move the inside interface from the lan vlan to a routed port on our 3750.
Now people can vpn and authenticate to the MS radius inside but cannot access any network resources nor ping anything inside.
View 1 Replies
View Related
Jul 26, 2010
I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other. The attached screenshot shows the topology. I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs.
ROUTER CONFIG:
ciscoasa#ciscoasa# show run: Saved:ASA Version 8.3(1)!hostname ciscoasadomain-name nullenable password ###### encryptedpasswd ###### encryptednamesdns-guard!interface GigabitEthernet0/0no nameifno security-levelno ip address!interface GigabitEthernet0/1no nameifsecurity-level 100ip address 10.10.1.1 255.255.255.0!interface GigabitEthernet0/1.10vlan 10nameif vlan10security-level 100ip address 10.10.10.1 255.255.255.0!interface GigabitEthernet0/1.20vlan 20nameif vlan20security-level 100ip address 10.10.20.1 255.255.255.0!interface GigabitEthernet0/1.30vlan 30nameif vlan30security-level 100ip address 10.10.30.1 255.255.255.0!interface GigabitEthernet0/2shutdownno nameifno security-levelno ip address!interface
[code]....
View 30 Replies
View Related
Nov 24, 2011
I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't work. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS. [code]
View 2 Replies
View Related
Apr 23, 2013
I want to collect the logging messages about the saa5525x IPS events from devices to a server running a syslog daemon, and I have no necessary to collect any other logging messages about the firewall, how would I config the configuration logging?
View 1 Replies
View Related
Dec 16, 2012
Our Firewall is just new. ASA5525X
Today, during a packet_trace to debug a routing problem, the active ASA
- thsasaprd02 - crashed suddenly.
I was able to copy-paste the console - including the command that triggered it - After the reboot I ran the command again, on the same ASA - after doing a manual failover - the command succeeded normally.
View 2 Replies
View Related
Jan 17, 2013
I've got a client with a Management Port set up for Out-of-Band management. Here's the configuration of the interface and some relevant static routes:
interface Management0/0
description MGT
speed 100
duplex full
nameif Mgt
[code]...
The route through Mgt interface is required as my client accesses the device from a subnet that isn't local to M0/0.Unfortunately, now any traffic originating from outside and destined to 10.48.0.0/16 is choosing the Mgt interface. I had thought that the 'management-only' keyword prevents this from happening (traffic traversing between interfaces).
There is a broad scope of /16 addresses on the 'inside' so just swapping destinations won't work (the client wants to avoid a routing table with 50+ static entries, understandably)My temporary solution was to do this:
route inside 10.0.0.0 255.128.0.0 10.38.103.1
route inside 10.128.0.0 255.128.0.0 10.38.103.1
route Mgt 10.0.0.0 255.0.0.0 10.38.100.254
If 'management-only' doesn't prevent traffic from using the Mgt interface, what is the point of the command?
View 2 Replies
View Related
Sep 7, 2012
Can I configure two IPsec tunnel in a ASA5525X, when the destination is same.
View 1 Replies
View Related
Aug 15, 2011
I have a Cisco ASA 5505 that I have configured. The outside interface is vlan 2 and the inside interface is vlan 1. Port 0 of the ASA is configured to be in vlan 2 and is connected to the ISP provided subnet. Port 1 is connected to my private LAN subnet. I have an additional router connected to Port 2 for guest connectivity. Port 2 is configured to be a member of VLAN 2 so that it can access the ISP provided subnet. From the device connected to port 2 I can ping the vlan 2 interface address of the ASA and from the ASA I can ping the Default gateway of the ISP provided subnet. For some reason the router on port 2 cannot ping the default gateway of the ISP provided subnet. If the vlan were working the same as a vlan in a switch, I would expect to be able to do this. why it is not working or what I can do to get it working?
View 4 Replies
View Related
Jan 3, 2013
I have a customer who has vlan's and SVIs residing on a core 6509. the 6509 is connected to an ASA 5515 then out to the internet/sp edge deviceIP routing is not turned on. there is a static route on the 6509 that routes all ip's to the inside interface of the asa 5515 that the 6509 core is connected to.there is a set of vlans that are apart of a 192.168.128.0/19 subnet and all those vlans can "speak" to each other.
View 8 Replies
View Related
Apr 12, 2012
Just messing around with packet tracer for a little practice. I tried to setup a router on a stick config with 3 switches trunked and PCs on different vlans. Anybody know of any issues that may arise with STP and inter-vlan routing? I set everything up correctly with trunking, addressing, encapsulations, vlans, but did not touch STP. Unable to ping from any PC to any where.
View 19 Replies
View Related
Jan 25, 2012
I don't have an ASA to lab this up on, and having read through the literature I have available to me I'm not sure how this would work but here's where I am at the moment. Situation: One ASA, two contexts, no shared interfaces, no 'hairpinning' to another common device like a router or layer 3 switch.Requirement: The ASA will separate two security zones. Each zone must be independent of the other (no shared interfaces).Expectation: Traffic to be enter the sole interface in context A, then be internally directed to context B before being dispatched out.
View 7 Replies
View Related
Feb 25, 2013
Say I have a managed switch that supports VLANs. I have two computers and one server connected to the switch (I'll call them PC-1, PC-2, and SRV-1).Without routing, I want both PC-1 and PC-2 to talk to SRV-1 and vice versa, however I don't want PC-1 or PC-2 to talk to each other.I achieve this by making each port a trunk port. I make PC-1 a member of VLAN 2, PC-2 a member of VLAN 3, and SRV-1 a member of VLAN 4. The port that SRV-1 is on I make a tagged member of PC-1 and PC-2 (VLAN 2 and 3 respectively) and make the ports the PCs are on a member of the SRV-1 VLAN (VLAN 4).Everything tests OK (that is, the clients can't talk to each other, however the clients can individually talk to the server)
View 6 Replies
View Related
Jan 31, 2013
What is inter vlan routing protocol? What are its three modes?
View 6 Replies
View Related
Sep 12, 2011
[code] I would like to config two IP ranges, one for staff, one for guest wireless access. The dlink wap supports multi vlan SSIDs.Reason I'm doing this is to prevent access on the guest wireless to access the win 2003 server.Will the switch inter vlan route the 192.168.2.1 to 192.168.1.1? How will vlan 2 get DHCP, will dhcp relay need to be set on vlan 2 to 192.168.1.20 ? [code]
View 2 Replies
View Related
May 17, 2011
Can inter VLAN routing be done on SRW (Cisco 300 series) switches ?
View 5 Replies
View Related
May 12, 2013
I know very little about switches. This is the first time I've ever touched them. However, I'm the only one in the company who has the slightest knowledge on how to make them work.
4 vlans
vlan 1 - 192.168.32.1 - Existing network with Internet access
vlan 33 - 192.168.33.1
vlan 34 - 192.168.34.1
vlan 35 - 192.168.35.1
From the laptop on vlan 33 I can ping the management interfaces (192.168.x.1) for each of the vlans. However, I cannot ping anything on those networks.
Below is what I have with the config. Right now not much attached to these switches until they are setup.
Code:
config-file-header
poe-switch
[Code].....
View 19 Replies
View Related
Dec 12, 2012
I bought a sf300 48 and made 4 vlans.
How can I restrict the mac address of device can be connect each vlan ? I just want allow the macs for vlan, dont need join the pc to a vlan.
View 8 Replies
View Related
Feb 16, 2011
We are using a 1803 ISR for remote vpn users. They use Cisco VPN clients with the EasyVPN server functionality of the ISR. I would like to restrict the ports/protocols which they can use to the remote network they connect to.
This is the (edited) client config in the ISR:
crypto isakmp client configuration group RemoteVPN key remoteaccess dns 192.168.0.1 domain domain.local pool POOL_1 acl 140 netmask 255.255.255.240,access-list 140 remark EasyVPN ACLaccess-list 140 permit ip 192.168.0.0 0.0.0.255 any
I tried to edit the acl 140 with access rules, but they do not seem to have any effect. If I edit acl 140 with deny ip any any, for example, the remote users can still use any protocol to access the remote network.
View 2 Replies
View Related
Oct 30, 2012
I want to do the inter vlan routing packet tracer file url...configuration of MLS are as bellow can anyone tell me why vlan on switch0 can not ping vlan on switch1. [code]
View 12 Replies
View Related
Jan 15, 2013
Recently configured one nexus 3048 switch. Create two vlans (Vlan 10 and Vlan 19). Vlan 10 is 10.1.X.X/24 and Vlan 19 is 192.168.X.X/24, connected two pcs one is Vl 10 and second pc 19. But not able to communicate both Vlans.Nexus 3048 are not Support VTP Mode Server, running version 5.0. [code]
View 2 Replies
View Related
Dec 4, 2012
Short version is we cannot communicate between our subnets.We have a Cisco ASA 5505 we are using for our network router. We have a Netgear L3 switch behind that with 10 vlans. Each VLAN is on its own subnet. (10.0.10.x/24, 10.0.11.x/24, etc)We have PAT for each subnet to our outside interface. Each subnet NATs out properly currently.I have NAT exemption enabled for 2 of the subnets (eventually I will need all, but am just testing at the moment). I have tried multiple ways for the NAT exemption to allow all traffic from our inside VLANS. At this point in time I am trying to get "Engineering" to communicate with all hosts on "AuthUser". I can ping some hosts, but not as many as if I am directly on the interface. I can reach a port 80 service, but not 443. I cannot access anything via hostname or NetBIOS.What am I missing to allow higher security level interfaces to fully communicate with lower security level interfaces?
View 0 Replies
View Related
Jun 6, 2012
I have a connection on IP 192.168.1.21, Subnet 255.255.255.0 - this is on the default VLAN1 on the switch. I need to route this to IP 10.0.3.101, Subnet 255.255.252.0 - which is set up on VLAN2 on the switch. I have set the switch to Layer 3 via console.
how I setup this route? I am use the Browser based interface.
View 15 Replies
View Related
Jan 11, 2013
I have set up a 2811 with seperate VLANs for phones, and another for computers/printers. Fa0/0 is trunked to a 3560 switch, which has all end devices plugged in. I have enabled the IP Routing commands on both devices, and from advice turned off proxy-arp on the VLANs on the router (unsure if this is causing the issue). The setup is as follows
Computer VLAN = 192.168.20.0
Phone VLAN = 192.168.50.0
Both on the same subnet, along with a router loopback address in the same subnet, at 192.168.10.1.I am having an issue understanding why, but if I try to ping a phone from a PC it times out. Or if I try to type the phone's IP into an internet browser to get the phone's GUI on screen, it fails. This should not be happening as IP routing has been enabled on both, and everything is in the same subnet, correct? PC's can ping other PC's and network printing works fine. Phones register and operate fine, but the two VLAN's will not interoute.Furthermore if I try and ping the router's loopback from the switch, it fails. But the trunk is up and operational because DHCP and devices work within their own VLAN. If I try to ping end devices from the switch, it returns 100%. There seems to be an issue with the router looping the different networks together.
View 35 Replies
View Related
Oct 3, 2011
I've recently installed an SGE2010 switch, which I have set to 'Layer 3' mode.
I have created 2 VLANs using 192.168.10.x and 192.168.20.x (using .50 for the VLAN IP address in each case) - however, I need to be able to allow certain traffic between the VLANs.Alternatively, to get things started - I'm assuming I need to set up ACLs to allow access between VLANs - how would I configure the switch to allow all traffic from one VLAN to the other?
View 5 Replies
View Related
Dec 11, 2011
Core: DC : 2- 6500 (PO Trunked) Configured L3 vlan interfaces with HSRP.
Vlans:
Servers - 192.168.5.0/24
PCs: 192.168.10.0/24
Phones : 192.168.20.0/24
Replica-exchange: 192.168.30.0/24
DR- One Core SW:
Vlans:
Servers vlan - 10.10.5.0/24
PCs: 10.10.10.0/24
Phones : 10.10.20.0/24
Replica-exchange: 10.10.30.0/24
OSPF is the routing protocol. Everything works fine.New requirement (exchange 2010 MAPI & DAG subnets)
192.168.5.0 <--> 192.168.30.0 & 10.10.30.0 : Communication should fail
10.10.5.0/24<--> 192.168.30.0 & 10.10.30.0 : Fail
Replica@DC <--> Replica@DC: work
Replicas --> Rest of the nw- not that of an issue.
Iam thinking of adding a Extended ACLs on Replica-Exchange (DC & DR) and servers Vlan interfaces to block bidirectional communication.
CORE1 &2:
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.30.0 0.0.0.255access-list 101 deny ip 10.10.5.0 0.0.0.255 192.168.30.0 0.0.0.255access-list 101 permit ip any any
!access-list 102 deny ip 192.168.30.0 0.0.0.255 192.168.5.0 0.0.0.255
[code]....
Similar to the same on DR as well. I wanted to see if ACL is the way to go or any other suggested methods with OSPF being the routing protocol.
View 2 Replies
View Related
Sep 29, 2011
I have no router inplace that can do trunking (5505 basic license )I have 2 VLANS 10 Data 20 voice I have given both VALNs IPs lets say
-VLAN10 192.168.1.1
-VLAN20 192.168.2.1
Enabled IP routing and set the router as the gateway of last resort.Now becuase the L3 switchis doing the routing I have had to set the default gateway as the VLAN IPs. So PCs on VLAN10 get a gateway of 192.168.1.1 and phones on VLAN20 get a gateway of 192.168.2.1
Any real downside to having the 3560 doing the VLAN routing, is this the "correct "way to do things in the event I don't have a trunkable router?
View 8 Replies
View Related
Mar 17, 2012
configure my new SG300-28P. When I have started the switch, I have specified a new password and enabled telnet in order to setup the switch in Layer 3 mode.
After a restart, the switch took its IP address from a DHCP server. When I try to set a static IP address (192.168.2.1), I receive the following error message: Duplicated IP interface on the same subnet.
The IP address 192.168.2.1 is not used by any device within the network. For information, the message doesn't appear when the switch is in Layer 2 mode.
why I can't change the IP address of default vlan in Layer 3 mode ? All I can do is set the IP address to static or dynamic.
For test purpose, I have added 2 vlans. But I wasn't able to route traffic between vlan. how to configure the switch to route traffic between vlan?
find below details informations about my VLANs.
- Default (VLAN ID 1)
IP Address : 192.168.2.1
Subnet : 255.255.255.0
[Code].....
View 3 Replies
View Related
Apr 1, 2012
In my home setup I have an PFsense firewall wich is doing all the routing right now, but right now my net speed is maxing out about 500mbit, i my think it's the pfsense hardware, but its an 1500Mhz C7 VIA with 2Gb ram, I just bought two new switchs, HP-1910-24g and a HP 5500-24G they can do some layer 3 routing, will my speed get a bumb up when the switch is doing some of the vlan routing.
View 2 Replies
View Related
Mar 10, 2013
We have a small cisco 1800 series workgroup router that seperates our network from the outside world. The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0. fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3). These sub-interfaces correspond to a desktop and server vlan on our network. The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2). Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network. The firewall was set up between the router and switch 1 in transparent, multi-context mode. There are 2 security contexts, 1 for the desktop vlan and 1 for the server. Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.
View 2 Replies
View Related
