Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1933
Views
0
Helpful
3
Replies

ASA-5510 setting up destinations

Go to solution
jariwalaj
Level 1
Level 1

‎10-28-2010 06:25 AM - edited ‎03-11-2019 12:01 PM

I am new to Cisco firewalls. I have an ASA-5510 with a trunk switch (Catalyst 3560). One port on the switch is connected to another switch (Catalyst 2960). The connection is pass-through, not trunked. On the 2960, I have a few devices with different IP subnets plugged in. These are all untrusted systems. I have created a single VLAN at the 3560 and into the ASA.

My question is how to direct traffic to/from devices on the untrusted interface. The ASA gives me the option to set the IP address of the interface - but I have a number of subnets. Can I associate 'objects/hosts' in the ASA with a specific interface?

Thanks in advance!

Jayesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-28-2010 07:49 AM 

jariwalaj wrote:
I am new to Cisco firewalls. I have an ASA-5510 with a trunk switch (Catalyst 3560). One port on the switch is connected to another switch (Catalyst 2960). The connection is pass-through, not trunked. On the 2960, I have a few devices with different IP subnets plugged in. These are all untrusted systems. I have created a single VLAN at the 3560 and into the ASA. 
My question is how to direct traffic to/from devices on the untrusted interface. The ASA gives me the option to set the IP address of the interface - but I have a number of subnets. Can I associate 'objects/hosts' in the ASA with a specific interface?
Thanks in advance!
Jayesh

Jayesh

If you have devices in different subnets you should use different vlans. A better way to set up your network would be -

1) connect the 2960 to the 3560 with a L2 trunk

2) allocate each subnet into a different vlan

3) Create these vlans on the 3560 switch and also the 2960 switch

4) If you want to firewall between these vlans then you can use subinterfaces on the ASA. Each subinterface will have a different IP address and be allocated into a separate vlan -

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576

5) However if you don't need to firewall between the vlans then use the 3560 to route between vlans, it's a lot simpler. So create the L3 vlan interfaces on your 3560 and add a default-route on the 3560 pointing to the ASA inside interface -

ip route 0.0.0.0 0.0.0.0 x.x.x.x  <-- where x.x.x.x is the ASA inside interface

6) On the ASA add routes for the vlans on the 3560 eg.

route inside 192.168.5.0 255.255.255.0  x.x.x.x

route inside 192.168.6.0 255.255.255.0  x.x.x.x

where x.x.x.x is the IP address on the 3560

That is a very brief run through. If you need more details let me know. The above using step 5) instead of step 4) is a very common setup and works well for most environments.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-28-2010 07:49 AM 

jariwalaj wrote:
I am new to Cisco firewalls. I have an ASA-5510 with a trunk switch (Catalyst 3560). One port on the switch is connected to another switch (Catalyst 2960). The connection is pass-through, not trunked. On the 2960, I have a few devices with different IP subnets plugged in. These are all untrusted systems. I have created a single VLAN at the 3560 and into the ASA. 
My question is how to direct traffic to/from devices on the untrusted interface. The ASA gives me the option to set the IP address of the interface - but I have a number of subnets. Can I associate 'objects/hosts' in the ASA with a specific interface?
Thanks in advance!
Jayesh

Jayesh

If you have devices in different subnets you should use different vlans. A better way to set up your network would be -

1) connect the 2960 to the 3560 with a L2 trunk

2) allocate each subnet into a different vlan

3) Create these vlans on the 3560 switch and also the 2960 switch

4) If you want to firewall between these vlans then you can use subinterfaces on the ASA. Each subinterface will have a different IP address and be allocated into a separate vlan -

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576

5) However if you don't need to firewall between the vlans then use the 3560 to route between vlans, it's a lot simpler. So create the L3 vlan interfaces on your 3560 and add a default-route on the 3560 pointing to the ASA inside interface -

ip route 0.0.0.0 0.0.0.0 x.x.x.x  <-- where x.x.x.x is the ASA inside interface

6) On the ASA add routes for the vlans on the 3560 eg.

route inside 192.168.5.0 255.255.255.0  x.x.x.x

route inside 192.168.6.0 255.255.255.0  x.x.x.x

where x.x.x.x is the IP address on the 3560

That is a very brief run through. If you need more details let me know. The above using step 5) instead of step 4) is a very common setup and works well for most environments.

Jon

0 Helpful

Go to solution
jariwalaj
Level 1
Level 1
In response to Jon Marshall

‎11-17-2010 08:27 AM

Jon,

Thanks for your help earlier. I did setup the VLANs in the 2960 and created a trunk connection to the 3560. Then I created the same VLANs in the 3560. This allowed me to define the VLANs finally in my ASA for routing traffic.

In your last steps, you mention a few routes and rules if I don't need to firewall between VLANs. I do need to. Is the 'ip route' command on the 3560 neccessary anyway to ensure all traffic goes to the ASA?

Thanks!

Jayesh

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jariwalaj

‎11-17-2010 11:58 AM 

jariwalaj wrote:
Jon,
Thanks for your help earlier. I did setup the VLANs in the 2960 and created a trunk connection to the 3560. Then I created the same VLANs in the 3560. This allowed me to define the VLANs finally in my ASA for routing traffic.
In your last steps, you mention a few routes and rules if I don't need to firewall between VLANs. I do need to. Is the 'ip route' command on the 3560 neccessary anyway to ensure all traffic goes to the ASA?
Thanks!
Jayesh

Jayesh

If you are routing the vlans off the ASA then no you don't need to have a route on the 3560 unless there are other vlans on the 3560 that are being routed and not firewalled. If the 3560 is not routing for any vlans then no need for the ip route command.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card