pix 515: traffic between vlans

We have a Cisco Pix 515 with several VLANs that has been up and running for about a year now. Lately there has been a demand for traffic between some of the VLANs.

I do not have any experience with that kind of configuration, so I took a look in the ASDM, and surely enough, there was a function called "traffic between VLANs with the same security level".

But where do I go from here? Do I need dedicated access-lists or what? Needless to say there is no traffic between the VLANs now.... Any help apriciated.....


Reply to
Young Neil
Loading thread data ...

Usually, the VLANs will be attached to interfaces that have different security levels. Once the virtual interface is created, treat access to it exactly the same way you would access to a physical interface that happened to have that security level -- i.e., the rules still apply that if you have no access-group then access is permitted to lower security interfaces, and if you do have an access-group then access is permitted according to the access-list. Each access-list applied "in" an interface should be defined in terms of the IP addresses as known "outside" that interface.

The only "dedicated" information you might need is for translations between the different virtual interfaces, following exactly the same rules as for physical interfaces: source IPs being affected when going to a lower security interface, and destination IPs being affected when going to a higher security interface. "static" commands are interface-pair specific, and the combination of nat/global pairs can be interface-pair specific.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.