topic Re: Cisco ASA5510 configuration help in Network Security

Cisco ASA5510 configuration help

MartynasSm — Fri, 22 Mar 2019 16:32:14 GMT

Hi,

I need some help with Cisco ASA configuration. Basically I have one dummy switch used to feed my active/passive firewall.

On that switch I have following configuration:

ip subnet-zero
ip routing
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.113
!
vlan 101
name insideVLAN
!
!
!
interface vlan 101
description *** Inside vlan ***
ip address 192.168.101.1 255.255.255.0
!
interface FastEthernet2/0/1
description *** uplink to active fw ***
switchport access vlan 101
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard disable
!
interface FastEthernet2/0/2
description *** uplink to standby fw ***
switchport access vlan 101
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard disable
!

interface FastEthernet2/0/48
description *** Level3 Uplink ***
no switchport access vlan 10
no switchport mode access
no switchport nonegotiate
ip address xx.xx.xx.114 255.255.255.248
no shutdown
!

I can ping google or anything else from this switch. Problem starts when I connect firewall to this switch. I can't get it to communicate with internet... I've attached my firewall config. Firewall itself is then connected to switch stack (also config attached). And switch stack then feeds user switches (also attached config).

Any help would be highly appreciated.

Regards,

Martynas

Re: Cisco ASA5510 configuration help

FBMTRAV — Fri, 22 Mar 2019 17:52:26 GMT

Try creating a layer 2 VLAN, make the port to Level3 and your firewall access ports on that VLAN. Also try removing switchport nonegotiate.

conf t

vlan 200

name INET

interface FastEthernet2/0/1
description *** uplink to active fw ***
switchport access vlan 200

switchport mode access

spanning-tree portfast

!
interface FastEthernet2/0/2
description *** uplink to standby fw ***
switchport access vlan 200
switchport mode access
spanning-tree portfast
!

interface FastEthernet2/0/48

description *** Level3 Uplink ***
switchport access vlan 200

switchport mode access
no shutdown

Re: Cisco ASA5510 configuration help

FBMTRAV — Fri, 22 Mar 2019 17:55:42 GMT

Your firewall outside port will need the Level3 IP assigned;

ip address xx.xx.xx.114 255.255.255.248

Re: Cisco ASA5510 configuration help

pappacrunch — Fri, 22 Mar 2019 18:00:49 GMT

Do you have PAT configured on the firewall? If not try adding:

object network lab-inside

subnet 192.168.100.0 255.255.255.0

nat (lab-inside, outside) dynamic interface

access-group LAB->OUTSIDE in interface lab-inside

This should ensure the correct traffic flow on the ASA.

Let me know if this helps.

Thanks.