04-18-2013 06:24 AM - edited 03-11-2019 06:30 PM
I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.
Question:
I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.
I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)
The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).
How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?
Solved! Go to Solution.
04-18-2013 07:52 AM
Ok,
So I guess you just have to make sure that he L3 Switch is configured with the new link to the ASA and the default route is configured to point to the ASA "inside" interface IP address so that all traffic not destined for the LAN networks is forwarded to the ASA.
The ASA should be configured with the basic settings
- Jouni
04-18-2013 06:31 AM
Hi,
Since you are already doing Inter-Vlan routing on the L3 Switch I would suggest configuring a new Vlan that is only configure to provide a link/connectivity between the ASA and the LAN networks.
Naturally it would be good if the ASA itself was acting as the L3 point of the network but naturally it doesnt have to be. Though you will not be able to control traffic between the LAN networks. Though the ASA5520 model might run into performance problems also if the L3 point was on the ASA. This depends on the amount of traffic between the LAN networks.
I would suggest configuring something like this. The specific configuration/addresses/Vlan id/Port ID depends naturally on your current configurations on the devices.
L3 Switch
vlan 10
name Link to ASA
interface Vlan10
description Link to ASA
ip add 10.10.10.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.10.1
interface GigabitEthernetx/x
description Link to ASA
switchport mode access
switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
no shutdown
ASA
interface GigabitEthernet0/1
description Link to Core
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
route inside 172.17.1.0 255.255.255.0 10.10.10.2
route inside 172.18.1.0 255.255.255.0 10.10.10.2
route inside 192.168.3.0 255.255.255.0 10.10.10.2
For other ASA configurations like NAT and ACLs I would have to see the current ASA configuration.
Hope this helps
- Jouni
04-18-2013 06:46 AM
Jouni thank you so much for your response!!!
I am replacing a SOHO firewall that is currently connected that only allows one subnet (Vlan) out to the Internet, according to the previous engineer.
So for the traffic going to the internet I would put a nat statement for the 3 vlans to the outside interface?
Thanks
Desmond
04-18-2013 06:50 AM
Hi,
Are you saying that you have another device connected to the L3 Switch that is currently handling Internet traffic? You already have a default route pointing to another device?
- Jouni
04-18-2013 06:58 AM
Sorry for the confusion.
The current setup has a 3750 switch connected to a Linksys SOHO router that is handling traffic for the Internet
Currently, this set up only allows one of my vlans to access the Internet.
I am replacing the Linksys device with an ASA 5520 and I want all 3 of the vlans to have Internet access which is the reason for the replacement. I hope I am explaining this with some clarity.
Thanks,
Desmond
04-18-2013 07:07 AM
Do you plan to make this change gradually or do you simply want to prepare the ASA configuration for the complete replacement of the Linksys and then do the change?
There might be a possibility to for example do Policy Based Routing on the 3750 for the 2 Vlans that dont have Internet access and forward all their Internet bound traffic to the ASA while still leaving the 1 Vlan to use the Linksys.
This would let you test the Internet through the ASA while still having the original Internet connection.
I am not sure how the Policy Based Routing (PBR) will affect the 3750 performance. I have had one occasion where it caused slight problems with the performance of the device.
What will the ASA use for Internet connection? Does it have a new Internet connection OR will the current Linksys connection be changed to provide the connection to the ASA and the ASA would then handle the firewalling etc.
Hopefully I made sense
- Jouni
04-18-2013 07:35 AM
Jouni,
I am actually looking just to replace the older, less featured device with a new ASA 5520.
The ASA 5520 will replace the Lnksys so the same currently used connections will also be used for the ASA connection..
I am usisng the ASA to firewall off my new created network from the other production network they have in place.
Thanks,
Desmond
04-18-2013 07:52 AM
Ok,
So I guess you just have to make sure that he L3 Switch is configured with the new link to the ASA and the default route is configured to point to the ASA "inside" interface IP address so that all traffic not destined for the LAN networks is forwarded to the ASA.
The ASA should be configured with the basic settings
- Jouni
04-18-2013 08:45 AM
Jouni thank you for all of your assistance with this issue, I am confident that I will get this up and running with the assistance you provided!
Thanks again!
Desmond
04-18-2013 09:47 AM
No problem
Can you please mark the question as answered (button in the reply message) or rate the reply.
Naturally ask more if the need arises.
- Jouni
04-19-2013 08:22 AM
Jouni I need you assistance once again.
I just got to the site and set up the asa, but the configuration has changed a bit.
The ASA inside interface is connected to a 3750 switch by the routed connection that you suggested on yesterday and I am able to ping the 3750 from the ASA but the outside interface of the ASA is connected to a 2960 switch that is handing off a connection to the VLan 55 that they are stating is the only VLan that has access to the Internet.
How would I then configure the ASA to send traffic to the outside interface that has no ip address?
Thanks in advance.
Desmond
04-19-2013 10:04 AM
Hi,
Did you edit the original post?
But anyway, I am not sure I understood correctly but seems to me that the LAN portion + ASA is possibly configured fine (Have not seen the configurations so cant say for sure)
Now if your Internet connection from the ISP is provided through a 2960 switch and its has a Access mode port on Vlan55 towards the ASA then naturally you just connect that port to the ASA "outside" interface.
You say that you dont know how to route the traffic to the Internet from the ASA. To me it seems that there is only 2 options. You either have to know the ISP gateway IP address to which you configure the default route on the ASA OR if the previous Internet router was using DHCP to aquire the public IP address (and default route) from the ISP, then you will have to configure the ASA to also use DHCP on its outside interface.
But again, I am not all that sure on how the ASA and the switch on the "outside" is configured so its impossible to say what the situation is and give specific instructions.
- Jouni
04-19-2013 10:55 AM
Jouni!!!
Yes I did edit it with my new issues.
I have attached the config if you want to take a quick look.
I have the interface labeled and the Gi0/2 is connected to the 2960. I have also added a subinterface for the Vlan configuration, not sure if that was correct or not.
Thanks,
Desmond
04-19-2013 11:22 AM
Hi,
Do you have access to the 2960 switch?
To be honest if you have been originally assigned a public IP address range or a static public IP address then you should be able to get that information either from the old device or directly from the ISP.
If the old device was getting the public IP address from the ISP with DHCP then you will have to use DHCP on the "outside" interface.
If you have already replaced the old Linksys Internet router would it be possible that you could check its configurations to see how its WAN interface is configured. This would tell us how we need to configure the ASA "outside" interface. IF indeed the ASA will use the same line to Internet as the old Internet router/device was using.
I dont think you need to configure a subinterface on the ASA. IF the 2960 has a Access port towards your ASA you can simply connect the ASA Gi0/2 to that 2960 Access port. Provided that switch has a connection to ISP.
- Jouni
04-19-2013 11:39 AM
I just had someone check the 2960 port that connects to my ASA and it is just an access port that is in the 55 vlan.
I thought it may have been set up differently but its just an access port.
That being the case, Vlan 55 is the only vlan that can access the internet. Is there soemway I can take 172.172.1.0 Vlan (for example) and nat it to the VLAN 55?
I dont know I am just throwing out things...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide