topic Re: Connecting ASA 5505 to Layer 2 Switch on VLan in Network Security

Connecting ASA 5505 to Layer 2 Switch on VLan

drikilbride — Mon, 11 Mar 2019 17:18:07 GMT

I really need someones help with this I am a bit stumped.

We recently purchased a new internet link. The ISP has provided their own equipment which we dont have access to.

On this equipment they have created two Vlans. One for internet traffic and one for an extended WAN to another location. The internet link is on VLan 183 on their equipment.

The advised me to connected a Layer 2 Switch directly to the port they had configured VLan 183 on. On the switch I created my own VLan also called 183, trunked it and added a few local switch ports to this Vlan. If I connect my laptop into one of the ports assigned to my Vlan and set my laptops IP to the static information provided by the ISP I can surf the net.

I now need to hook my ASA up to this switch. I need my outside interface to point to the following

ip - 77.75.100.194

mask 255.255.255.252

gateway 77.75.100.193

My inside interface to

10.255.251.211

255.255.0.0

I need all traffic on the 10.255.0.0 network to be able to use this new internet link

I suppose Im just really confused about how I link the ASA up with the Vlan'd switch.

In the past I have always hooked the ASA up direct to whatever router was provided but the VLAN in the middle is confusing me. Also I have only ever used 5510's and the 5505 seems slightly different.

If someone could point me in the right direction I would really appreciate it!

Thank you!!

Re: Connecting ASA 5505 to Layer 2 Switch on VLan

Kureli Sankar — Fri, 05 Mar 2010 17:03:47 GMT

I can certainly understand the confusion when it comes to ASA5505 and vlans. Once you do it once, you will realize how easy it is.

Here is a link with a sample config: http://ezinearticles.com/?Basic-Configuration-Tutorial-For-the-Cisco-ASA-5505-Firewall&id=1681858

You create a layer 3 interface for outside vlan

you create a layer 3 interface for inside vlan

configure one port on outside vlan

configure other ports on inside vlan (by default it will be in vlan1)

now, it is just like a asa5510. The nameif and security lines go under the "int vlan" section.

-KS

Re: Connecting ASA 5505 to Layer 2 Switch on VLan

drikilbride — Fri, 05 Mar 2010 17:07:55 GMT

You are a life saver! I'll give that a try Monday when I'm back in the office!

Thanks again for your help!

Re: Connecting ASA 5505 to Layer 2 Switch on VLan

drikilbride — Mon, 08 Mar 2010 12:23:55 GMT

I have tried that but am still not able to get out onto the internet.

I am going to post my configs for both the ASA 5505 and my Cisco 2950 Switch.

Maybe someone could spot what I have missed?

Thanks in advance!!!

Re: Connecting ASA 5505 to Layer 2 Switch on VLan

Kureli Sankar — Mon, 08 Mar 2010 14:43:51 GMT

The config looks correct.

Are you able to ping xx.xx.xx.xx ?

interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

Are you able to ping xx.xx.xx.xx??

I hope ip address in vlan2 and the default route are not the same IP address.

Ping the outside default gw from the firewall and collect captures and see what they say.

cap capout int outside match icmp any any

sh cap capout

check the logs as well

conf t

logging on

logging buffered 7

sh logg | i x.x.x.x

where x.x.x.x is the host that is try to go to the internet.

-KS

Re: Connecting ASA 5505 to Layer 2 Switch on VLan

drikilbride — Mon, 08 Mar 2010 16:45:23 GMT

I can ping the following

VLAN2

IP Address xx.xx.xx.xx 255.255.255.252

I can't ping the default gateway route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

The IP Address used in VLAN2 and the default gateway are different, both provided by the ISP.

The thing is, if I hook my laptop up direct to the Switch and statically assign it the IP, Gateway and DNS from ISP I have full internet access. There just seems to be an issue with the ASA and the trunked 802.1q switch port. (which works fine with the laptop)

I have attached the log from when I pinged the VLAN2 address from the firewall.

Thanks again!

Re: Connecting ASA 5505 to Layer 2 Switch on VLan

Kureli Sankar — Mon, 08 Mar 2010 18:27:29 GMT

Seems like you need to configured vlan 183 and move the config from vlan2 to vlan183.

interface Vlan183
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 183

Pls. double check the trunk config and the vlan and see which one it is supposed to be.

-KS

Re: Connecting ASA 5505 to Layer 2 Switch on VLan

drikilbride — Tue, 09 Mar 2010 11:23:41 GMT

Its working!!!

Thanks a mil for all your help.

Changing the VLAN to VLAN 183 did the trick!