10-28-2010 06:25 AM - edited 03-11-2019 12:01 PM
I am new to Cisco firewalls. I have an ASA-5510 with a trunk switch (Catalyst 3560). One port on the switch is connected to another switch (Catalyst 2960). The connection is pass-through, not trunked. On the 2960, I have a few devices with different IP subnets plugged in. These are all untrusted systems. I have created a single VLAN at the 3560 and into the ASA.
My question is how to direct traffic to/from devices on the untrusted interface. The ASA gives me the option to set the IP address of the interface - but I have a number of subnets. Can I associate 'objects/hosts' in the ASA with a specific interface?
Thanks in advance!
Jayesh
Solved! Go to Solution.
10-28-2010 07:49 AM
jariwalaj wrote:
I am new to Cisco firewalls. I have an ASA-5510 with a trunk switch (Catalyst 3560). One port on the switch is connected to another switch (Catalyst 2960). The connection is pass-through, not trunked. On the 2960, I have a few devices with different IP subnets plugged in. These are all untrusted systems. I have created a single VLAN at the 3560 and into the ASA.
My question is how to direct traffic to/from devices on the untrusted interface. The ASA gives me the option to set the IP address of the interface - but I have a number of subnets. Can I associate 'objects/hosts' in the ASA with a specific interface?
Thanks in advance!
Jayesh
Jayesh
If you have devices in different subnets you should use different vlans. A better way to set up your network would be -
1) connect the 2960 to the 3560 with a L2 trunk
2) allocate each subnet into a different vlan
3) Create these vlans on the 3560 switch and also the 2960 switch
4) If you want to firewall between these vlans then you can use subinterfaces on the ASA. Each subinterface will have a different IP address and be allocated into a separate vlan -
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576
5) However if you don't need to firewall between the vlans then use the 3560 to route between vlans, it's a lot simpler. So create the L3 vlan interfaces on your 3560 and add a default-route on the 3560 pointing to the ASA inside interface -
ip route 0.0.0.0 0.0.0.0 x.x.x.x <-- where x.x.x.x is the ASA inside interface
6) On the ASA add routes for the vlans on the 3560 eg.
route inside 192.168.5.0 255.255.255.0 x.x.x.x
route inside 192.168.6.0 255.255.255.0 x.x.x.x
where x.x.x.x is the IP address on the 3560
That is a very brief run through. If you need more details let me know. The above using step 5) instead of step 4) is a very common setup and works well for most environments.
Jon
10-28-2010 07:49 AM
jariwalaj wrote:
I am new to Cisco firewalls. I have an ASA-5510 with a trunk switch (Catalyst 3560). One port on the switch is connected to another switch (Catalyst 2960). The connection is pass-through, not trunked. On the 2960, I have a few devices with different IP subnets plugged in. These are all untrusted systems. I have created a single VLAN at the 3560 and into the ASA.
My question is how to direct traffic to/from devices on the untrusted interface. The ASA gives me the option to set the IP address of the interface - but I have a number of subnets. Can I associate 'objects/hosts' in the ASA with a specific interface?
Thanks in advance!
Jayesh
Jayesh
If you have devices in different subnets you should use different vlans. A better way to set up your network would be -
1) connect the 2960 to the 3560 with a L2 trunk
2) allocate each subnet into a different vlan
3) Create these vlans on the 3560 switch and also the 2960 switch
4) If you want to firewall between these vlans then you can use subinterfaces on the ASA. Each subinterface will have a different IP address and be allocated into a separate vlan -
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576
5) However if you don't need to firewall between the vlans then use the 3560 to route between vlans, it's a lot simpler. So create the L3 vlan interfaces on your 3560 and add a default-route on the 3560 pointing to the ASA inside interface -
ip route 0.0.0.0 0.0.0.0 x.x.x.x <-- where x.x.x.x is the ASA inside interface
6) On the ASA add routes for the vlans on the 3560 eg.
route inside 192.168.5.0 255.255.255.0 x.x.x.x
route inside 192.168.6.0 255.255.255.0 x.x.x.x
where x.x.x.x is the IP address on the 3560
That is a very brief run through. If you need more details let me know. The above using step 5) instead of step 4) is a very common setup and works well for most environments.
Jon
11-17-2010 08:27 AM
Jon,
Thanks for your help earlier. I did setup the VLANs in the 2960 and created a trunk connection to the 3560. Then I created the same VLANs in the 3560. This allowed me to define the VLANs finally in my ASA for routing traffic.
In your last steps, you mention a few routes and rules if I don't need to firewall between VLANs. I do need to. Is the 'ip route' command on the 3560 neccessary anyway to ensure all traffic goes to the ASA?
Thanks!
Jayesh
11-17-2010 11:58 AM
jariwalaj wrote:
Jon,
Thanks for your help earlier. I did setup the VLANs in the 2960 and created a trunk connection to the 3560. Then I created the same VLANs in the 3560. This allowed me to define the VLANs finally in my ASA for routing traffic.
In your last steps, you mention a few routes and rules if I don't need to firewall between VLANs. I do need to. Is the 'ip route' command on the 3560 neccessary anyway to ensure all traffic goes to the ASA?
Thanks!
Jayesh
Jayesh
If you are routing the vlans off the ASA then no you don't need to have a route on the 3560 unless there are other vlans on the 3560 that are being routed and not firewalled. If the 3560 is not routing for any vlans then no need for the ip route command.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide