Solved: ASA 5505 with 2 vlans different names but same subnet address

mahesh18 · ‎08-15-2015

Hi Everyone,

I came across the client network where they have ASA 5505 with 2 vlans there name are different but subnet address and subnet mask is same.

Is this design ok to have?

ASA is using two different physical interfaces for each vlan.

setup is

switch ----vlan 10 ----192.168.50.0/25-------ASA----Vlan 11--------------192.168.50.0/24-----------Switch

I know in Router we can not have two physical interfaces in same subnet.

Regards

Mahesh

Jon Marshall · ‎08-16-2015

I'm not sure why everyone is saying this is not a good design because it just looks like a transparent firewall setup to me ie. two vlans using one IP subnet.

Admittedly the subnets have different masks which is not ideal although Mahesh says the subnet mask is the same in his description so it might be a typo.

The reason for two vlans is to avoid an STP loop ie. the ASA has joined two vlans together using the same IP subnet so it is in transparent mode.

Jon

View solution in original post

Jon Marshall · ‎08-16-2015

Hi Shan

There is IP subnet overlap. In fact the IP subnet should be the same ie. same mask as well for transparent mode.

I agree we don't know whether it is routed or transparent but I am assuming the latter simply because I don't believe the ASA would let you configure two interfaces from the same IP subnet when there is an overlap in the addressing.

Jon

View solution in original post

Vibhor Amrodia · ‎08-16-2015

Hi,

This is not a good practice as there would be this network (192.168.50.0-.127) which would be overlapping.

The only reason probably u were able to configure this was because of different masks.

Thanks and Regards,

Vibhor Amrodia

mahesh18 · ‎08-16-2015

sorry i put wrong info earlier.

IP address of 2 vlans were 10.31.102.17/28 and 10.31.102.33/28.

This ASA is not in transparent mode.

When i calculated there address range its not on same network.

I was confused by only looking at same subnet mask not calculating there address range.

Many thanks to everyone who replied to post

Regards

Mahesh

m.kafka · ‎08-16-2015

This is not nice, no it isn't...

If you can convince your customer to redesign:

Give it a shot with transparent firewall:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html

Regds, MiKa

PS also Routers support bridging and transparent firewall (IRB)

sk.netsec · ‎08-16-2015

Hi

It is not a good design.Try to convince the customer , explain the challenges.

Ask them to give diff. subnets for the VLANs . So that you can terminate the VLAN on the dedicated interface.

i.e VLAN 10 - 192.168.50.0/24 - ASA if eth 1

VLAN20 - 192.168.60.0/24 - ASA if eth 2

Rgds

Shan

Jon Marshall · ‎08-16-2015

I'm not sure why everyone is saying this is not a good design because it just looks like a transparent firewall setup to me ie. two vlans using one IP subnet.

Admittedly the subnets have different masks which is not ideal although Mahesh says the subnet mask is the same in his description so it might be a typo.

The reason for two vlans is to avoid an STP loop ie. the ASA has joined two vlans together using the same IP subnet so it is in transparent mode.

Jon

sk.netsec · ‎08-16-2015

Hi Jon,

I thought there was IP subnet overlap. But as you said it would be typo mistake also. Also not sure abt the Mode (Transparent or Routed).

If transparent mode, then no issues. only BVI interface,we create for Mgmt access through data port

Rgds

Shan

Jon Marshall · ‎08-16-2015

Hi Shan

There is IP subnet overlap. In fact the IP subnet should be the same ie. same mask as well for transparent mode.

I agree we don't know whether it is routed or transparent but I am assuming the latter simply because I don't believe the ASA would let you configure two interfaces from the same IP subnet when there is an overlap in the addressing.

Jon

sk.netsec · ‎08-16-2015

Hi Jon,

As i know , no need to configure the IP for the VLANs on ASA. Just for Mgmt we have to configure , right Jon?.

I am not worked with transparent mode solutions. so am not have much idea in solution point of view & challenges.

But your post has good info. Can you share any links for Transparent deployment ?.

Shan

Jon Marshall · ‎08-16-2015

Correct, you don't configure the IP addresses on the actual interfaces.

By deployment do you mean how to configure it or where you would use it ?

Jon

sk.netsec · ‎08-16-2015

That's why i had doubt abt Mahesh post. Because we won't configure the IP on ASA other than for mgmt purpose.

Transport mode we do only L2 level segmentation.

No . I know the configuration perspective. I got the requirement now.

Thanks Jon.