topic Re: ASA with VLANs ...... does dot1q actually work ? in Network Security

ASA with VLANs ...... does dot1q actually work ?

mcroft — Mon, 11 Mar 2019 14:34:36 GMT

Hi,

I have a very simple config :

1x ASA5510 firewall and 1x 2950 ethernet switch.

I am trying to get dot1q trunking working between the two, and utlize VLANs through one single physical connection.

This is easy right ?

<--------------ASA------------------->

interface Ethernet3

speed 100

duplex full

nameif DMZ1-TEST

security-level 6

no ip address

interface Ethernet3.1

vlan 700

nameif DMZ1-TEST-VLAN700

security-level 6

ip address 172.18.10.1 255.255.0.0

interface Ethernet3.2

vlan 701

nameif DMZ1-TEST-VLAN701

security-level 6

ip address 172.19.10.1 255.255.0.0

<------------2950 SWITCH---------------->

interface FastEthernet0/23

description *** UPLINK to ASA TEST ***

duplex full

speed 100

switchport trunk encapsulation dot1q

switchport mode trunk

------------------------------------------

However, I cannot see any traffic between the two devices, infact, I am unable to ping the switch from the firewall and visa-versa.

if I do a show int on the firewall, I see ..... "390349 L2 decode drops" THIS IS NOT GOOD I ASSUME !

So, I think there is a problem with the trunk.

Any Ideas or debug I could apply ?

Any help would really be appreciated.

Thank you.

Matt C

Re: ASA with VLANs ...... does dot1q actually work ?

JORGE RODRIGUEZ — Thu, 08 Jan 2009 16:31:10 GMT

Hi Matt,

have you created the l2 vlans in the switch for the respective FW subinterfaces?

switch

vlan database

vlan 700 name DMZ1-TEST-VLAN700

vlan 701 name DMZ1-TEST-VLAN701

when u place host on a specific switchport conectivity should work .

switch

interface fe0/x

Description PC1_address_172.18.10.30/16

switchport access vlan 700

u should be able from PC ping its default gateway 172.18.10.1

same principle for the other subnet vlan 701

communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excempt acl.

Regards

Re: ASA with VLANs ...... does dot1q actually work ?

mcroft — Thu, 08 Jan 2009 23:24:19 GMT

THANK YOU for your help.

I was being an wally, and only created the vlan interface on the switch and not the VLANs itself.

As soon as I read the first two lines of your email ... I knew immediately what I had done.

Silly me.

Thank you for you help. Appreciated !

Re: ASA with VLANs ...... does dot1q actually work ?

JORGE RODRIGUEZ — Thu, 08 Jan 2009 23:45:16 GMT

Matt, you are welcome and glad I could help and all is fine I assume, don't forget to rate helpful posts.

Bst Rgds

Jorge

Re: ASA with VLANs ...... does dot1q actually work ?

fareed_farooqui — Tue, 14 Apr 2009 09:23:43 GMT

Hi Jorge

Can PC1 communicate with PC2 which has ip address 172.19.10.34 ....

Will intervlan commnication work with ASA as a L3 device .

Please can you elaborate " communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excem"

I have re4ad somewhere that intervlan communication via the same physical trunk cannot work???

Is that true?

Many Thanks

Fareed

Re: ASA with VLANs ...... does dot1q actually work ?

JORGE RODRIGUEZ — Tue, 14 Apr 2009 10:37:13 GMT

I have re4ad somewhere that intervlan communication via the same physical trunk cannot work???

Hi Fareed, This is not true! , you may have subinterfaces with same sec level same physical trunk, or simply physical interfaces again with same sec level and have communication between the two networks as long you have configured same-security-traffic permit inter-interface statement along with a nonat exempt rule.

Regards

Jorge

Re: ASA with VLANs ...... does dot1q actually work ?

fareed_farooqui — Tue, 14 Apr 2009 10:51:52 GMT

Thanks alot Jorge..

FYI here is the link which was the cause of my confusion.. if you scroll right at the bottom you will see a conclusion with a reference to a TAC case..

I typed these words in google "same-security-traffic permit inter-interface trunk asa"

and 7th result from the top from experts-exchange.com is the link iam referring to..

Regards

Fareed