cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Route LAN to LAN

Jump to solution

I need sample config for how to route networks between eth0 to eth1 while FW is enable in TA908e.

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Anonymous
Not applicable

Re: Route LAN to LAN

Jump to solution

:

Thank you for posting this question to our support community.  In an environment where a network is segmented into multiple private subnets, either by virtual local area networks (VLANs) or multiple physical interfaces, devices in separate subnets may need to communicate with one another. The default configuration installed through the Firewall Wizard will NAT all traffic, including traffic from LAN to LAN. While some applications might allow this communication, many will not. In this case, an allow ACP must be created to permit the private subnets to communicate without NAT.

An ACL must be created with two statements. Each ACL statement permits traffic in one direction. The ACL is then applied to the Private ACP as an allow. The stateless keyword is an optional parameter for the allow list command that prevents firewall timeouts, attack checks, and ALGs from tampering with traffic. Finally, since the firewall policies are executed in sequential order, the allow statement must be placed above the NAT statement. This will catch all LAN-to-LAN traffic and prevent translating the network address. There is a detailed explanation and example of this configuration in the Configuring the Firewall (IPv4) AOS document.

Here is a small example configuration:

ip access-list extended INTER-VLAN

  permit ip 10.10.10.0 0.0.0.255  192.168.1.0 0.0.0.255

  permit ip 192.168.1.0 0.0.0.255  10.10.10.0 0.0.0.255

!

ip access-list extended wizard-ics

  permit ip any any

!

ip policy-class Private

  allow list INTER-VLAN stateless

  nat source list wizard-ics interface ppp 1 overload

I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
2 Replies
Highlighted
Anonymous
Not applicable

Re: Route LAN to LAN

Jump to solution

:

Thank you for posting this question to our support community.  In an environment where a network is segmented into multiple private subnets, either by virtual local area networks (VLANs) or multiple physical interfaces, devices in separate subnets may need to communicate with one another. The default configuration installed through the Firewall Wizard will NAT all traffic, including traffic from LAN to LAN. While some applications might allow this communication, many will not. In this case, an allow ACP must be created to permit the private subnets to communicate without NAT.

An ACL must be created with two statements. Each ACL statement permits traffic in one direction. The ACL is then applied to the Private ACP as an allow. The stateless keyword is an optional parameter for the allow list command that prevents firewall timeouts, attack checks, and ALGs from tampering with traffic. Finally, since the firewall policies are executed in sequential order, the allow statement must be placed above the NAT statement. This will catch all LAN-to-LAN traffic and prevent translating the network address. There is a detailed explanation and example of this configuration in the Configuring the Firewall (IPv4) AOS document.

Here is a small example configuration:

ip access-list extended INTER-VLAN

  permit ip 10.10.10.0 0.0.0.255  192.168.1.0 0.0.0.255

  permit ip 192.168.1.0 0.0.0.255  10.10.10.0 0.0.0.255

!

ip access-list extended wizard-ics

  permit ip any any

!

ip policy-class Private

  allow list INTER-VLAN stateless

  nat source list wizard-ics interface ppp 1 overload

I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
Highlighted
Anonymous
Not applicable

Re: Route LAN to LAN

Jump to solution

:

I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Levi