Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
0
Helpful
7
Replies

ASA connected to 3850x (Layer 3 Switch) Internet

lenin.km
Level 1
Level 1

‎06-06-2022 03:07 AM

I have an ASA 5516x connected to a Layer 3 (3850x) switch with multiple interfaces (Inside,  Guest) and a connection to a 3850 where I have VLANs, and IP Routing enabled.

 

Not to be able to reach the internet from any of these VLANs. I'm able to ping back and forth from ASA to Switch and vice-versa (Interfaces). I'm confused about whether there's any route missing from the switch or access list from the ASA.ASA connected to 3750x (Layer 3 Switch) Internet

0 Helpful
7 Replies 7

Flavio Miranda
VIP
VIP

‎06-06-2022 03:13 AM

Hi

  Basically you need to have NAT and ACL on ASA allowing the internet access and on the switch you need to have at least one route send to ASA:

ip route  0.0.0.0  0.0.0.0 "ASA IP ADDRESS"

 

This should be enough to access interface from this switch.

0 Helpful

Jitendra Kumar
Spotlight
Spotlight

‎06-06-2022 03:15 AM

you have default route on L3 Switch???

 

ip route 0.0.0.0 0.0.0.0 (ASA interface IP

 

if possible please share the config..

 

 

Thanks,

Jitendra 

Thanks,
Jitendra
0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎06-06-2022 03:18 AM

On the switch create a SVI. and create a default route on switch and set the next hop the ASA. having said that if you have configured you NAT rule you should be able to reach internet.

please do not forget to rate.
0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to Sheraz.Salim

‎06-06-2022 04:18 AM - edited ‎06-06-2022 05:33 AM

 

 

Switch380
!
vlan x
!
vlan y
!
vlan z
!
interface vlan x
 ip address 192.168.1.1 255.255.255.0
 no shut
!
!
interface vlan y
 ip address 192.168.2.1 255.255.255.0
 no shut
!
interface vlan z
 ip address 192.168.3.1 255.255.255.0
 no shut
!
ip route 0.0.0.0 0.0.0.0 192.168.3.2 (ASA sub-interface)
!
interface gig1/1  (This interface connected to Firewall port)
  switchport mode trunk
  switchport trunk allowed all
  switchport encap dot1q
  no shut
ASA
!
Interface gig0/0
  no shut
!
interface gig0/0.x
  vlan x
  nameif xxxx
  security-level 100 (only if inside equalievent)
  ip address 192.168.1.2 255.255.255.0
!
interface gig0/0.y
  vlan y
  nameif yyyy
  security-level 100 (only if inside equalievent)
  ip address 192.168.2.2 255.255.255.0
!
interface gig0/0.z
  vlan z
  nameif zzzz
  security-level 100 (only if inside equalievent)
  ip address 192.168.3.2 255.255.255.0
!
route interface Z 192.168.1.0 255.255.255.0 192.168.3.1
route interface Z 192.168.2.0 255.255.255.0 192.168.3.1
!
object network X
  subnet X
  nat (Z,outside)dynamic interface
!
object network Y
 subnet Y
 nat (Z,outside)dynamic interface
!

 Just to add if any of your Firewall security-level is between 1-99 this is classified as DMZ zone in that case you have to create/define a access-list of the ASA.

please do not forget to rate.
0 Helpful

MHM Cisco World
VIP
VIP

‎06-06-2022 06:22 AM

the Default GW is SVI in SW, 
the right way is config the ASA interface and config specific VLAN for connection between L3SW and ASA
and config default route toward the ASA interface
BUT BUT
that make ASA not inspect any traffic between VLAN i.e. it use only for traffic out to internet.

 

other Solution, 
is config SW as L2 and make ASA interface as default GW for Host, this make ASA inspect the traffic between the VLAN and host can assess internet.

0 Helpful

ervinjelvos9
Level 1
Level 1

‎06-06-2022 01:36 PM

Basically you need to have NAT and ACL on ASA allowing the internet access and on the switch you need to have at least one route send to ASA:

ip route  0.0.0.0  0.0.0.0 "ASA IP ADDRESS"

 

This should be enough to access interface from this switch.

Alight Motion Pro is a free motion graphic design editor for mobile devices. It makes the editing process for videos easy.
0 Helpful

paul driver
VIP
VIP

‎06-07-2022 04:07 AM

Hello

Try the following:

ASA

object network VLAN1
subnet 192.168.1.0 255.255.255.0
nat (vlan1,outside) after-auto source dynamic any interface

object network VLAN2
subnet 192.168.2.0 255.255.255.0
nat (vlan2,outside) after-auto source dynamic any interface

object network VLAN3
subnet 192.168.3.0 255.255.255.0
nat (vlan3,outside) after-auto source dynamic any interface


object-group network VLANS
network-object object VLAN1
network-object object VLAN2
network-object object VLAN3

access-list 100 extended permit icmp any object-group VLANS echo-reply
access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card