:
Thank you for posting this question to our support community. In an environment where a network is segmented into multiple private subnets, either by virtual local area networks (VLANs) or multiple physical interfaces, devices in separate subnets may need to communicate with one another. The default configuration installed through the Firewall Wizard will NAT all traffic, including traffic from LAN to LAN. While some applications might allow this communication, many will not. In this case, an allow ACP must be created to permit the private subnets to communicate without NAT.
An ACL must be created with two statements. Each ACL statement permits traffic in one direction. The ACL is then applied to the Private ACP as an allow. The stateless keyword is an optional parameter for the allow list command that prevents firewall timeouts, attack checks, and ALGs from tampering with traffic. Finally, since the firewall policies are executed in sequential order, the allow statement must be placed above the NAT statement. This will catch all LAN-to-LAN traffic and prevent translating the network address. There is a detailed explanation and example of this configuration in the Configuring the Firewall (IPv4) AOS document.
Here is a small example configuration:
ip access-list extended INTER-VLAN
permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
!
ip access-list extended wizard-ics
permit ip any any
!
ip policy-class Private
allow list INTER-VLAN stateless
nat source list wizard-ics interface ppp 1 overload
I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information. I will be happy to help in any way I can.
Levi
