Good Day Everyone,
My scenario is as follows.
The setup involves
1 Catalyst 2950 1 Catalyst 3750G 1 ASA 5520My objective is to configure to additional subnets using ASA subinterfaces as the Vlan gateways.
For this question we will use on the ASA 5520 one interface for server interaction one interface for all user interaction.
Core Switch Catalyst 3750G
Current VLan configuration
VLAN 1 Server interface 0/0 VLAN 10 clients interface 0/1
These VLans are spread on both switches and communicate well.
So now, I created two additional vlans on the core switch, VLAN 20 clients2 VLAN 30 clients3 Using the Catalyst 2950, I assigned two computers to vlan 20 and 30 respectively.
I configured the trunk on the 2950 interface as follows
interface FastEthernet0/20 switchport trunk native vlan 10 switchport trunk allowed vlan 20,30 switchport mode trunk end
and its connecting interface on the 3750G configured as
interface GigabitEthernet1/0/30 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport trunk allowed vlan 20,30 switchport mode trunk end
The switch interface to ASA is configured as follows interface GigabitEthernet1/0/40 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30 switchport mode trunk end
So after configuring this I configured the ASA interfaces as follows:
interface GigabitEthernet0/1 nameif clients security-level 80 ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
interface GigabitEthernet0/1.20 vlan 20 nameif clients2 security-level 80 ip address 172.16.20.1 255.255.255.0 standby 172.16.20.2
interface GigabitEthernet0/1.30 vlan 30 nameif clients3 security-level 80 ip address 172.16.30.1 255.255.255.0 standby 172.16.30.2
Then I typed the command same-security-traffic permit inter-interface same-security-traffic permit intra-interface
The clients setup 172.168.10.3, 20.3, 30.3 were all able to ping their respective gateways.
So now to ping the server interface, The following was added using static NAT rule with ASDM 5.2 (I'm still learning CLI for ASA, so please excuse me) I'll do the print out on ASA. (sh nat servers/clients/...2/...3)
Servers match ip servers 172.16.1.0 255.255.255.0 clients any static translation to 172.16.1.0 match ip servers 172.16.1.0 255.255.255.0 clients2 any static translation to 172.16.1.0 match ip servers 172.16.1.0 255.255.255.0 clients3 any static translation to 172.16.1.0
Clients match ip clients 172.16.10.0 255.255.255.0 servers any static translation to 172.16.10.0 (this is my entry) match ip clients 172.16.10.0 255.255.255.0 clients any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how) match ip clients 172.16.10.0 255.255.255.0 clients2 any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how) match ip clients 172.16.10.0 255.255.255.0 clients3 any dynamic translation to pool 10 (No matching global)(this is not mine but would like to know how)
Plus there are other rules there taht should only be there for the clients but the same is there for all the other nameif regarding pats
Clients2 match ip clients2 172.16.20.0 255.255.255.0 servers any static translation to 172.16.20.0
clients3 match ip clients3 172.16.30.0 255.255.255.0 servers any static translation to 172.16.30.0
So after adding this in ASDM they can ping the server network.
The problem now exists that they cannot ping each other on the same interface can anyone shed some light now. Question as well with the command same-security-traffic permit inter-interface same-security-traffic permit intra-interface, would I have to configure rules for them to talk to each other provided the first issue is resolved?