topic A sample configuration is in Network Security

Firewall inside interface with Core

Rizwan — Tue, 12 Mar 2019 06:42:09 GMT

Hi,

I have nexus core with multiple vlans configured on it. Cisco asa firewall is connected with core using port-channel and trunk.

How can I make all vlans traffic routable on firewall? I will use IP address at port-channel interface? how firewall will handle vlan tags?

You will require a sub

chris noon — Tue, 06 Oct 2015 12:03:57 GMT

You will require a sub interface for each VLAN on the firewall, e.g.:

config term

interface portchannel 1.100 >> for vlan 100

encapsulation dot1q 100 >> for vlan 100

ip address [ip address] [mask]

exit

The following document has a more in depth explanation:

http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/14976-50.html

My core switch is layer-3

Rizwan — Tue, 06 Oct 2015 12:09:46 GMT

My core switch is layer-3 then and all inter-vlan routing is done by core. Is there any way to make

to just route traffic to firewall instead of making sub-interface for each vlan at firewall?

Yes, if your core switch is a

chris noon — Tue, 06 Oct 2015 12:13:26 GMT

Yes, if your core switch is a layer 3 device you could create SVIs on the switch like so:

config term

interface vlan 100 >> for vlan 100

ip address [IP address] [mask]

then apply a default route up to the firewall from the core switch:

ip route 0.0.0.0 0.0.0.0 [interface towards firewall] [firewalls inside IP address]

SVI documentation:

http://www.cisco.com/c/en/us/products/collateral/routers/1800-series-integrated-services-routers-isr/prod_white_paper0900aecd8064c9f4.html

One more question please, if

Rizwan — Tue, 06 Oct 2015 13:00:17 GMT

One more question please, if at core I have port-channel configure with firewall then in default route i will mention port-channel number or physical port interface number [interface towards firewall] ?

I'm confident in saying the

chris noon — Tue, 06 Oct 2015 13:04:29 GMT

I'm confident in saying the port channel interface.

I am facing following error

Rizwan — Tue, 06 Oct 2015 13:08:26 GMT

I am facing following error while configuring default route towards firewall with port-channel interface and physical interface both

% Pin-Interface cannot be a switchport

I will configure it on some

chris noon — Tue, 06 Oct 2015 13:09:30 GMT

I will configure it on some lab equipment and let you know... give me some time please.

Hi Chris Waiting for your

Rizwan — Tue, 06 Oct 2015 14:22:58 GMT

Hi Chris

Waiting for your response

If you are routing the vlans

Jon Marshall — Tue, 06 Oct 2015 14:28:30 GMT

If you are routing the vlans on the Nexus switch then you don't need subinterfaces or vlan tags on the firewall.

In which case your default route should use the IP address of the interface on the firewall as the next hop IP.

Jon

Hi Jon, I have port-channel

Rizwan — Tue, 06 Oct 2015 14:37:09 GMT

Hi Jon,

I have port-channel (vPC) between nexus and asa, similarly port-channel on firewall side.
I make port-channel interface as inside interface of firewall and assigned IP on it.

Now I make default route on nexus pointing to inside interface of firewall.

ip route 0.0.0.0 0.0.0.0 192.168.200.1

But I am unable to ping 192.168.200.1 from nexus

Are you running HSRP on the

Jon Marshall — Tue, 06 Oct 2015 14:43:03 GMT

Are you running HSRP on the Nexus side ?

If so can you ping the VIP or either of the physical IPs from the ASA ?

Jon

yep, you are right Jon. I am

Rizwan — Tue, 06 Oct 2015 15:11:15 GMT

yep, you are right Jon. I am running HSRP on nexus side and unable to ping any IP address VIP or physical IP on nexus from ASA.

How to configure this?

Hi Jon, I'm waiting for your

Rizwan — Tue, 06 Oct 2015 15:52:36 GMT

Hi Jon,

I'm waiting for your response. Thanks

Sorry, thought you had sorted

Jon Marshall — Tue, 06 Oct 2015 16:00:38 GMT

Sorry, thought you had sorted it.

What troubleshooting have you done ie. are the HSRP interfaces up, are the physical interfaces up on all devices, what do the mac address tables show when you try to ping etc.

Jon

Everything is working on core

Rizwan — Tue, 06 Oct 2015 16:23:07 GMT

Everything is working on core just problem is connectivity between Firewall and Core.

I have two nexus core switches and two asa firewalls configured on failover.

vPC link is up between firewall and core switches I have assigned inside IP address on port-channel interface at firewall.

!
interface Port-channel2
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2

At nexus

(config)# ip route 0.0.0.0 0.0.0.0 192.168.200.1

ping 192.168.200.1
PING 192.168.200.1 (192.168.200.1): 56 data bytes
ping: sendto 192.168.200.1 64 chars, No route to host
Request 0 timed out
ping: sendto 192.168.200.1 64 chars, No route to host

Hi Jon, Any update on this?

Rizwan — Wed, 07 Oct 2015 05:47:33 GMT

Hi Jon,

Any update on this? Can you help me out?

A sample configuration is

chris noon — Wed, 07 Oct 2015 09:57:39 GMT

A sample configuration is attached. I have this working in GNS3

Can you do a "show int desc"

chris noon — Wed, 07 Oct 2015 10:00:15 GMT

Can you do a "show int desc" on the nexsus and firewall please?

Remove all public IP addresses before you post 🙂