topic Re: Can ASA 5510 do Inter VLAN routing ? in Network Security

Can ASA 5510 do Inter VLAN routing ?

wasanthak — Fri, 21 Feb 2020 09:17:20 GMT

Can ASA 5510 do VLAN routing between multiple VLANS?

I have a customer with 2960 48 port switch and ASA 5510. Ideally we want the ASA 5510 to act as a L3 device in addition to firewall.I read the Cisco docs and found out 802.1q VLAN/sub interfaces are supported plus we know ASA supports routing.So i assume it is possible .

Does anyone have practical experience deploying this type of setup ?

Re: Can ASA 5510 do Inter VLAN routing ?

Collin Clark — Tue, 07 Nov 2006 18:58:02 GMT

It supports routing meaning it "talks" RIP/OSPF, but it is not a router. It can do what you want, but the performace may not be what you want. Setup the physical interface as a trunk and create sub-interface under that. See example's below.

interface Ethernet2

description Trunk Only! DO NOT CONFIGURE!!

speed 100

duplex full

no nameif

security-level 10

no ip address

interface Ethernet2.55

description WEB DMZ

vlan 55

nameif web

security-level 95

ip address 192.168.252.254 255.255.255.0 standby 192.168.252.253

interface Ethernet2.100

description FTP DMZ

vlan 100

nameif ftp

security-level 10

ip address 192.168.247.254 255.255.255.0 standby 192.168.247.253

SWITCHPORT CONFIG

interface FastEthernet0/47

description Connection to PIX

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 55,100

switchport mode trunk

duplex full

speed 100

spanning-tree portfast

Re: Can ASA 5510 do Inter VLAN routing ?

wasanthak — Tue, 07 Nov 2006 20:52:59 GMT

Thank you for the reply.

Hmm, that means traffic from one vlan to another must be inspected by the ASA.Is there any way to bypass the traffic inspection between vlans ? same security level for vlans perhaps ?

Re: Can ASA 5510 do Inter VLAN routing ?

Collin Clark — Tue, 07 Nov 2006 22:15:08 GMT

exactly and check out the command 'same-security-traffic permit inter-interface'

Re: Can ASA 5510 do Inter VLAN routing ?

thamdani — Wed, 08 Nov 2006 10:23:46 GMT

That does not work for clear text traffic.As of now only for IPSEC traffic.So the best solution in ur case is the one given above by configuring the sub interface

Re: Can ASA 5510 do Inter VLAN routing ?

wasanthak — Thu, 09 Nov 2006 01:09:59 GMT

Ok it did not go well.Here is what i did

In ASA 5510 running 7.0

interface Ethernet0/0

duplex full

no nameif

security-level 10

no ip address

interface Ethernet0/0.1

description Management VLAN

vlan 1

nameif MGMT

security-level 95

ip address 10.150.10.1 255.255.255.0

interface Ethernet0/0.2

description Server VLAN

vlan 2

nameif ftp

security-level 10

ip address 10.150.20.1 255.255.255.0

2960 Switch Config

interface G0/44

description Connection to ASA

switchport trunk allowed vlan all

switchport mode trunk

duplex full

speed 100

I checked the trunking was 802.1q since this IOS did not allow "switchport trunk encapsulation dot1q"

I cant ping between vlan 1 and vlan2.

and i did use the same-security permit inter-vlan.

Anything i am missing here ?

Thanks

Re: Can ASA 5510 do Inter VLAN routing ?

Fernando_Meza — Thu, 09 Nov 2006 02:25:29 GMT

HI .. assuming int g0/44 on your switch is connected to port Ethernet0/0 of the ASA then the config seems Ok HOWEVER, you also need to configure nat and access-list in order to get traffic flow between interfaces. rememmber traffic from higher priority will flow to the lower by default but you aslo need to configure nat / global pairs. TRaffic from lower to higher security will not flow by default. You need to specifically allow this and use static nats for it .. confused ..? a quick example ..

for traffic from VLAN 1 to VLAN2 you need.

nat (MGMT) 1 0 0

global (ftp) 1 interface

access-list Inside_Out extended permit ip any any

access-group Inside_Out in interface MGMT

For traffic from VLAN 2 to VLAN1 you would need

static (MGMT,ftp) x.x.x.x y.y.y.y netmask 255.255.255.255

access-list Outside_In extended permit ip any host x.x.x.x

access-group Outside_In in interface ftp

where x.x.x.x is the IP address you need to reach from the VALN2 and y.y.y.y is the real Ip address of teh device located on the VLAN1

Make sure to enable application inspection by enabling the default global-policy ( disabled by default) otherwise you might find that pings might not work between interfaces

policy-map global-policy

class global-class

inspect sqlnet

inspect h323 ras

inspect xdmcp

inspect tftp

inspect icmp error

inspect rtsp

inspect sunrpc

inspect mgcp

inspect esmtp

inspect netbios

inspect sip

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect rsh

inspect ftp

inspect ils

inspect h323 h225

inspect dns

inspect skinny

I hope it helps .. please rate if it does !!!

Re: Can ASA 5510 do Inter VLAN routing ?

wasanthak — Thu, 09 Nov 2006 11:53:50 GMT

Thank you.I will try the chnages today and let you guys know.

I made all three interfaces same security level 100 and used "same-security permit inter-interface".I assume with this approach i dont have to create NAT/access lists But that did not make any differrence.

Re: Can ASA 5510 do Inter VLAN routing ?

Collin Clark — Thu, 09 Nov 2006 14:07:44 GMT

To expand on Fernando's post, istead of creating NAT's and globals, it might be easier to move the traffic using what I call subnet statics, such as-

static (inside,dmz) 172.1.1.0 172.1.1.0 netmask 255.255.255.0