Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3954
Views
0
Helpful
2
Replies

ASA 5510 and Multiple Inside VLAN's

Matthew Scheele
Level 1
Level 1

‎06-19-2013 07:57 AM - edited ‎03-11-2019 07:00 PM

I have a Cisco 5510 with an inside network, outside network and DMZ network.

Right now, they are all able to communicate fine. But I have to add a another VLAN to the inside network, and have it be able to communicate with the DMZ and outside network. The inside network has a 3750 doing the inter-vlan routing so all devices on both VLAN's can communicate with each other. But devices on the outside network and DMZ network have no communication with the 2nd inside VLAN even though I have the necessary rules to allow this.

How can I tell the ASA 5510 to realize that the 2nd VLAN exists on its inside network?

To illustrate:

The ASA 5510 has an inside interface IP 10.96.1.254 that is on VLAN 10 of the 3750

It's DMZ interface IP is 10.96.3.254

It's Outside interface IP is 10.96.4.254

The 3750 has a VLAN 10 interface IP 10.96.1.253 and a VLAN 11 interface IP 10.96.2.253 and can route between those 2 VLAN's.

How can I configure the firewall to enable devices on the DMZ-10.96.3.0 network and Outside-10.96.4.0 network to be able to communicate with devices on the inside-10.96.2.0 network?

Thanks!

Labels:
0 Helpful
2 Replies 2

James Leinweber
Level 4
Level 4

‎06-19-2013 08:21 AM

You can't put multiple subnets and vlans on a single interface, but you can convert the ASA interface into a trunk port and set up subinterfaces.  E.g.

3750 switch:

interface  GigabitEthernet1/0/43

  switchport trunk encapsulation dot1q

  switchport trunk native vlan 400

  switchport trunk allowed vlan 2543-2545

  switchport mode trunk

  switchport nonegotiate

ASA:

interface GigabitEthernet0/3

description trunk port vlans 2543-2545

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.2543

description printer

vlan 2543

nameif bld-print

security-level 80

ip address 172.18.84.1 255.255.255.0

!

interface GigabitEthernet0/3.2544

description bad host quarantine

vlan 2544

nameif bld-bad

security-level 1

ip address 172.18.10.1 255.255.255.0

...

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

andyjames
Level 1
Level 1

‎06-19-2013 08:23 AM

Hello,

Normally you would have sub-interfaces for the internal VLANs on the Inside interface but as you have a 3750 doing the internal routing it's not necessary.

I've tried it a few ways before and have found the easiest way is to have 1 VLAN that runs between the ASA and the switch only, trunk between the switch and the ASA and this will carry all other VLANs also. You can limit the trunk to only allow the correct VLANs at the switch if needed.

You then only need one sub-interface on the ASA, with either a routing protocol distributing the internal routes to the ASA or static routes pointing to the switch.

Hope that makes sense.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card