topic Re: ASA V-Lan Conf in Network Security

ASA V-Lan Conf

ray_stone — Mon, 11 Mar 2019 13:30:36 GMT

Hi,

I have setup a new Cisco L3 Switch and create three different V-Lan.

1) V-lan 100 192.168.12.0/24 f0

2) V-lan 200 192.168.13.0/24 f1

3) V-lan 300 192.168.14.0/24 f2

F3 switch port is directly connected with ASA 5505 FW.

ASA Inside IP 192.168.10.2

Switch F3 IP 192.168.10.1

Now I want that all Vlan traffic request for internet to be go through ASA. Please suggest what type of config I will have to do?

Re: ASA V-Lan Conf

cpembleton — Wed, 13 Aug 2008 11:54:22 GMT

No shut the actual interface and create a sub-interface for each vlan. Physical can't have a vlan so you'll need 3 subs. Configure sub-interfaces the same way you would a physical interface. Setup your L3 switch interface as a 802.1q trunk port.

interface physical_interface.subinterface

vlan vlan-id

EX:

interface g0/1.10

vlan 10

Thanks,

Chad

Please rate if helpful.

Re: ASA V-Lan Conf

Marwan ALshawi — Wed, 13 Aug 2008 12:02:01 GMT

the easy way is as follow:

first inter the following command on the switch to enable routing

ip routing

then

creat thre SVIs on the switch

interface vlan 100

ip address 192.168.12.1 255.255.255.0

no shut

interface vlan 200

ip address 192.168.13.1 255.255.255.0

no shut

interface vlan 300

ip address 192.168.14.1 255.255.255.0

no shut

then creat a default route point to the ASA inside interface

on the switch

ip route 0.0.0.0 0.0.0.0 192.168.10.2

make the switchport connected to the asa as a routed port

for eaxmle

interfaces fa0/3

no switchport

ip address 192.168.10.1

no shut

now on the ASA creat three static routes each one point to one of ur vlans and going throu the switch interface

on the asa:

route inside 192.168.12.0 255.255.255.0 192.168.10.1

route inside 192.168.13.0 255.255.255.0 192.168.10.1

route inside 192.168.14.0 255.255.255.0 192.168.10.1

and for any clients connected to the switch

if u copnnect client to vlan 100

this client default gateway must be vlan 100 interface that we created above

and the same idea for each vlan

and good luck

please, if helpful rate

Re: ASA V-Lan Conf

Marwan ALshawi — Wed, 13 Aug 2008 12:09:51 GMT

hi Chad

ur idea right 100%

but he said he is useing L# switch and as he mentioned ha has given an ip address to the switch interface so this interface not trunk and layer two port any more

and upon ur config he will use his switch as L2 switch only

while he can benifit from his layer three switch and make all the oruting in the L3 switch and the full config as mention in my post to him

Unless he wants the comunication between vlans be through the firewall in this case he dose not need to make the routing on the L3 switch

thank you

Re: ASA V-Lan Conf

JORGE RODRIGUEZ — Wed, 13 Aug 2008 14:23:23 GMT

Marwan's suggestion is the easiest way to do it which is actually creating SVI interfaces in your L3 switch.. you could do ospf adjacency between asa inside and l3 switch but Marvan's example is good way to go with.

Additionally you will need to add those SVI subnets in asa to PAT them using global outboung interface for internet traffic.

e.i.

global (outside) 1 interface

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 192.168.13.0 255.255.255.0

nat (inside) 1 192.168.14.0 255.255.255.0

Rgds

Jorge

Re: ASA V-Lan Conf

Marwan ALshawi — Wed, 13 Aug 2008 14:32:06 GMT

thanks jorge especially for nating

because i got busy arranging the routing for him

sure the nating must be done for all internal vlans subnets to intgrate with static route that we have added to the asa

i mean the way out and bak end to end

Re: ASA V-Lan Conf

ray_stone — Wed, 13 Aug 2008 15:42:04 GMT

Thanks for all suggestions, but as I know when the all V-Lan traffic goes to other device by using a single port on switch then trunk port must be configured. In this above scenario, Is it not required a configured Trunk Port?

Re: ASA V-Lan Conf

JORGE RODRIGUEZ — Wed, 13 Aug 2008 15:49:43 GMT

In above scenario trunking is not required because you are not creating the VLANS in the firewall. When you do 802.1q subinterfaces in ASA then you need to extend those vlans to the switch via trunk. But because you are doing inter vlan routing withing the L3 switch you just simply need the example provided by Marwan.

Rgds

Jorge

Re: ASA V-Lan Conf

ray_stone — Wed, 13 Aug 2008 16:04:03 GMT

Well the ASA is setup with default configuration and the inside interface is also associated with V-lan1. Does it requires to change anything on ASA Inside Interface which will be connect with Switch port.

If I use inter v-lan routing on L3 Switch then what commands I need to execute. Thanks

Re: ASA V-Lan Conf

JORGE RODRIGUEZ — Wed, 13 Aug 2008 16:15:16 GMT

lets take ASA inside interface subnet 192.168.10.0/24

ASA Inside IP 192.168.10.2

you can do as follows.

Switch has default VLAN1 which is management vlan. Configure management vlan in same network as your ASA inside subnet

example on switch:

interface vlan1

ip address 192.168.10.3 255.255.255.0

no shut

then connect ASA inside physical port on a switchport on the switch.

interface fastethernet0/48

description ASA_Inside_Interface

switchport access vlan 1

speed 100

duplex full

no shut

And thats it, complete the Marvwan's example, doing default route pointing to ASA inside interface IP address.

For your hosts on 12,13,14 Default gateway will be SVI interface IP address, and for internet access follow the NAT (inside) 1 example above..

Let us know if you need a more complete script but you should be good to go..

[edit]

For inter-vlan routing configuration create the svi on the switch as Marwan provided example, for the SVI interfaces you create for them to be up/up you must connect a host on the allocated switchport and place the switch port in the correct SVI vlan.

example

interface vlan 100

ip address 192.168.13.1 255.255.255.0

no shut

interface fastethernet0/1

Description WIndowsXP_PC1

switchport access vlan 100

speed 100

duplex full

no shut

Rgds

Jorge

Re: ASA V-Lan Conf

ray_stone — Wed, 13 Aug 2008 16:51:14 GMT

If I delete V-Lan 1 which is associated with ASA Inside Interface then is it required the following commands on Switch Management Interface.

interface fastethernet0/48

description ASA_Inside_Interface

switchport access vlan 1

speed 100

duplex full

no shut

Re: ASA V-Lan Conf

ray_stone — Wed, 13 Aug 2008 16:56:51 GMT

As I understand without V-lan configured on ASA Inside Interface and the connected port of switch will work like as a Master Port.

Re: ASA V-Lan Conf

JORGE RODRIGUEZ — Wed, 13 Aug 2008 17:54:19 GMT

AS reference will try to exmplain a bit more so that you can know the obtions in future.

You cannot delete the management default VLAN1 off the switch or any switch as it is a default embeded vlan in the switch code, but you can choose any other vlan for management and leave VLAN1 alone with no IP adddress and be able to telnet to the switch from any other SVI interface , it is just simply for management. The VLAN1 Association on the switch is local to the switch and not the firewall.

If you had created the VLANS on the ASA for example

interface Ethernet0/1.100

vlan 100

nameif inside1

security-level 100

ip address 192.168.10.1 255.255.255.0

interface Ethernet0/1.101

vlan 101

nameif inside2

security-level 101

ip address 192.168.11.1 255.255.255.0

same-security-traffic permit inter-interface

then in the switch the trunk must be configured and associate the ASA VLAN# to the switch L2 VLAN# as bellow.

switch: Layer 2 vlans

vlan database

vlan 100 name inside1

vlan 101 name inside2

interface fastethernet0/48

Description Connection to ASA_Inside_Ethernet1

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allow vlan 100,101 etc..

////

In original replies example the fe0/48 defaults to vlan1 anyways and switchport access vlan 1 command is not required Im just pickie about it and place it when there are many vlans configured and want to know who is who on the switch ports, you are correct in saying master port, although I have not heard that tearm in switches but I think you meant by master port the primary physical

connection to the firewall inside interface.

Re: ASA V-Lan Conf

ray_stone — Wed, 13 Aug 2008 18:27:26 GMT

Valuable!!!! I appreciate. Guys please don't mind as I am bit confused in the V-Lans configuration that's why I am putting lot of queries and hope all confusion part will be wash out by your support.

Can you please tell me now how can I do inter-VLan routing into L3 Switch. Please show an example if possible. Thnaks

Re: ASA V-Lan Conf

ray_stone — Wed, 13 Aug 2008 18:59:06 GMT

waiting

Re: ASA V-Lan Conf

JORGE RODRIGUEZ — Wed, 13 Aug 2008 19:10:59 GMT

Assuming you have already configure basic ASA inside interface with 192.168.10.2/24

1-Start with Layer 2 vlans on switch, and use VLAN1 for management on same segment as ASA inside interface

2-Create L3 SVI interfaces for earch Layer 2 VLAN you created

3-Enable routing on the switch

4-Configure ASA static routes to talk to 12,13,14 subnets via 192.168.10.1

5-Configure ASA for NATing your inside hosts in L3 switch for internet access

6-COnfigure ASA with same-security-traffic permit intra-interface

7-ALLOw any subnet from behind ASA access to ASA for telnet and/or http for management

vlan database

vlan 100 name 192.168.12.0/24

vlan 101 name 192.168.13.0/24

vlan 102 name 192.168.14.0/24

exit

verify vlans " show vlan"

Now Create SVIs

interface vlan 100

Description 12.0/24 subnet

IP address 192.168.12.1 255.255.255.0

no shutdown

interface vlan 101

Description 13.0/24 subnet

IP address 192.168.13.1 255.255.255.0

no shutdown

interface vlan 102

Description 14.0/24 subnet

IP address 192.168.14.1 255.255.255.0

no shutdown

Management Vlan1 in switch which also servers as L3 connection to ASA

interface vlan1

Description Management

ip address 192.168.10.1 255.255.255.0

no shutdown

Enable routing in switch and configure default route

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.10.2

Allocate switch port Fe0/48 to connect to ASA inside interface

interface fastethernet0/48

Description Connection to ASA_Ethernet1

speed 100

duplex full

no shutdown

test pinging from switch to asa inside interface - if ok proceed ..

ASA side configuration

route inside 192.168.12.0 255.255.255.0 192.168.10.1

route inside 192.168.13.0 255.255.255.0 192.168.10.1

route inside 192.168.14.0 255.255.255.0 192.168.10.1

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 192.168.13.0 255.255.255.0

nat (inside) 1 192.168.14.0 255.255.255.0

http server enable

http 192.168.12.0 255.255.255.0 inside

http 192.168.13.0 255.255.255.0 inside

http 192.168.14.0 255.255.255.0 inside

telnet 192.168.12.0 255.255.255.0 inside

telnet 192.168.13.0 255.255.255.0 inside

telnet 192.168.14.0 255.255.255.0 inside

route 0.0.0.0 0.0.0.0 ISP_NetHop_Router_IP 1

/////////////////////

Now for real test, you need to place in switches PC hosts for the SVI interfaces to come up

Rememner that PCs default gateway will be the IP of the SVI interfaces.

Interface fastethernet0/1

Description PC1_192.168.12.40/24

switchport access vlan 100

no shutdown

Interface fastethernet0/2

Description PC1_192.168.13.40/24

switchport access vlan 101

no shutdown

from PC in subnet 100 ping its default gateway at 192.168.12.1

From PC in subnet 101 ping its default gatewat at 192.168.13.1

From PC in subnet 100 ping PC in subnet 101

From PC in subnet 100 ping asa Inside interface at 192.168.10.2

from PCs connect to internet

Did I missed anything?

Re: ASA V-Lan Conf

ray_stone — Wed, 13 Aug 2008 19:22:23 GMT

Hi, Thanks for your reply.

What is the use of this command.."same-security-traffic permit intra-interface" As I understand this command is to enable the V-lan's communication which is configured on Switch.

Here, I want to configure the Inter-V-Lan routing on L3 switch instead of ASA. Is it required and static commands or routing protocols like RIP, OSPF and etc. Please advice.

Re: ASA V-Lan Conf

JORGE RODRIGUEZ — Wed, 13 Aug 2008 19:32:17 GMT

if you place any other hosts on 192.168.10.0/24 subnet beside the switch vlan1 192.168.10.1 and asa inside interface 192.168.10.2 you need this command in asa for traffic from 12,13,14 subnets to talk to hosts on the 10 subnet go out the same interface it came. Omit the command otherwise!

same-security-traffic permit intra-interface.

Re: ASA V-Lan Conf

ray_stone — Wed, 13 Aug 2008 19:36:18 GMT

And what about V-Lan communication? How will it be configured on L3 Switch?

Re: ASA V-Lan Conf

JORGE RODRIGUEZ — Wed, 13 Aug 2008 19:38:26 GMT

Inter VLAN communication will be handle by the L3 switch and its routing function within.