https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762365#M429287 <HTML><HEAD></HEAD><BODY><P>I ended up moving the trunk to E0/2 on the ASA and kept the above configuration with the exception that VLAN 1 became VLAN 3 and the IP addressing change associated with the other VLAN. This came up with no problems. Ethernet 0/2 of the ASA is also plugged into a different Catalyst switch (Cat 4948). Given both ends of the trunk changed, I'm not sure what fixed it, but I don't want to mess around with a production firewall in attempting to figure out why this works while the old one didn't.</P></BODY></HTML> Wed, 23 May 2007 17:42:42 GMT baskervi 2007-05-23T17:42:42Z https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762362#M429278 <P>We have an ASA 5510 running 7.2(1)24 and a Catalyst 3650 running c3560-ipbase-mz.122-25.SEE2.bin. I need to create trunks between the two, but so far I've had no luck.</P><P></P><P>Here are the lines of configuration that have been added, but traffic cannot be passed on any VLAN. Any guidance would be appreciated.</P><P></P><P>=== ASA ===</P><P></P><P>interface Ethernet0/1</P><P> description Trunk to Cisco Catalyst switch</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/1.1</P><P> nameif inside</P><P> vlan 1</P><P> security-level 100</P><P> ip address 192.168.0.5 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1.5</P><P> nameif wireless</P><P> vlan 5</P><P> security-level 70</P><P> ip address 192.168.5.1 255.255.255.0 </P><P></P><P>===Catalyst===</P><P></P><P>vlan 5</P><P>name wireless</P><P>!</P><P>interface FastEthernet0/48</P><P> description To ASA Port E0/1</P><P> switchport trunk encapsulation dot1q</P><P> switchport trunk allowed vlan 1,5</P><P> switchport mode trunk</P><P></P><P></P> Fri, 21 Feb 2020 09:31:42 GMT https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762362#M429278 baskervi 2020-02-21T09:31:42Z https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762363#M429283 <HTML><HEAD></HEAD><BODY><P>Try to add command for ASA subinterfaces</P><P>VLAN vlan number </P><P></P><P>interface Ethernet0/1.1</P><P>nameif inside</P><P>vlan 1</P><P>security-level 100</P><P>ip address 192.168.0.5 255.255.255.0 </P><P></P><P>interface Ethernet0/1.5</P><P>nameif wireless</P><P>vlan 5</P><P>security-level 70</P><P>ip address 192.168.5.1 255.255.255.0 </P><P></P><P>Command VLAN vlan number associate subinterface with VLAN (its difference from routers - where subint number associate subinterface with VLAN)...Although the subinterface number and the VLAN ID do not have to match, it is a good practice to use the same number for ease of management.</P><P></P><P>Check this link for mor info</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006</A></P><P></P><P>M.</P><P>Hope that helps rate if it does</P></BODY></HTML> Tue, 22 May 2007 07:03:14 GMT https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762363#M429283 m.sir 2007-05-22T07:03:14Z https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762364#M429285 <HTML><HEAD></HEAD><BODY><P>I pasted the initial config script, forgetting it wasn't the final script I used off the laptop. The final script did have the vlan command, so the failure occurred with the vlans defined on the ASA. My bad, and thank you for the response.</P><P></P><P>The article brings up a thought I've had a couple of times. I understand the ASA tags VLAN 1 but the Catalyst doesn't for the trunk. Could there be a tagging problem here? I set up a trunk between a different ASA and Catalyst about 2 months ago, but the trunk did not include VLAN 1.</P></BODY></HTML> Tue, 22 May 2007 12:47:59 GMT https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762364#M429285 baskervi 2007-05-22T12:47:59Z https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762365#M429287 <HTML><HEAD></HEAD><BODY><P>I ended up moving the trunk to E0/2 on the ASA and kept the above configuration with the exception that VLAN 1 became VLAN 3 and the IP addressing change associated with the other VLAN. This came up with no problems. Ethernet 0/2 of the ASA is also plugged into a different Catalyst switch (Cat 4948). Given both ends of the trunk changed, I'm not sure what fixed it, but I don't want to mess around with a production firewall in attempting to figure out why this works while the old one didn't.</P></BODY></HTML> Wed, 23 May 2007 17:42:42 GMT https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762365#M429287 baskervi 2007-05-23T17:42:42Z https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762366#M429289 <HTML><HEAD></HEAD><BODY><P>This is just a guess, but....</P><P>Vlan 1 is the native vlan by default on most switches. On trunks, what this means is that it's expected that Vlan1 *not* be tagged with dot1q. For the ASA, not tagging frames only occurs with the physical interface. </P><P>ie, if you wanted to use Vlan 1 (ie the native vlan), simply use the 'nameif' command on the asa physical interface. (since you used 'no nameif' on the physical interface, the physical interface will not pass traffic).</P><P></P><P></P><P>this is all just a guess (:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/intrface.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/intrface.htm</A></P></BODY></HTML> Thu, 24 May 2007 01:09:06 GMT https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762366#M429289 srue 2007-05-24T01:09:06Z https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762367#M429291 <HTML><HEAD></HEAD><BODY><P>Try to move your E 0/1.1 interface to E0/1.2 and use vlan tag2. Perhaps Dot1q on the ASA is having issues with VLAN1. Most devices use VLAN1 as a native vlan. Also ensure your vlan's are active on the 3560.</P><P></P><P>We are using an almost idential config, with the exception of VLAN1 and the configuration works fine.</P><P></P><P>We found that during deployment that when using Dot1Q trunks on a PIX/ASA the Native VLAN not very friendly.</P></BODY></HTML> Thu, 24 May 2007 14:30:43 GMT https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762367#M429291 rauvil 2007-05-24T14:30:43Z https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762368#M429292 <HTML><HEAD></HEAD><BODY><P>The other option is to use the current configuration and simply assign a different native vlan on the switch port trunk. maybe.</P></BODY></HTML> Thu, 24 May 2007 14:55:54 GMT https://community.cisco.com/t5/network-security/problem-with-trunk-between-asa-and-catalyst-3560/m-p/762368#M429292 srue 2007-05-24T14:55:54Z