cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
419
Views
0
Helpful
1
Replies

asa connection to switch

suthomas1
Level 6
Level 6

Hi,

We have a set of users on the cisco 3750 switch. This needs to be connected to an asa where the gateway resides.

I am bit confused on the connection configuration between asa & 3750.

Should i just configure a port on 3750 to vlan 100 & physically connect it to an interface on the asa , while the asa interface gets the layer 3 ip address.

3750:-

int gig1/0/1

des Connection to ASA

switch mode access

switch access vlan 100

ASA:-

interface GigabitEthernet0/1

nameif LINK1

security-level 100

ip address 172.30.10.1 255.255.255.0

Is the above correct? What else would i need to do if the users connected to 3750 need access via the ASA.

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Are you saying that you only have Vlan 100 on the 3750 and no other Vlans? In that case it would seem fine presuming you have the free ports on the ASA to support this setup.

In the long term its not a good idea since you are going to run out of ASA ports pretty soon (if you do this for many Vlans on multiple switches perhaps). If you have several Vlans which L3 gateway should be on the ASA you would need to have a Trunk to the ASA to conserver ports on the ASA (unless ofcourse some Vlan alone requires a Gigabit link to the ASA with no other Vlans on that link)

The most common problem I see here on the forums related to a setup where there might be a L3 configured 3750 on the internal network and ASA in front of it at the edge of the network is the fact that users have activated routing on the L3 switch and configure Vlan interface (SVI) for their Vlans on the 3750 which are used as gateways for some of the networks and then start expiriencing problems with asymmetric routing with the ASA.

I guess you can avoid such problems by setting up the network in one of these ways

  • A L2 Switch network with different user Vlans which all have their L3 gateway on the ASA. Provided that the ASA models throughput will not be a problems.
  • A L3 Switch or router in the LAN acting as the L3 gateway for all the user traffic. This would naturally mean ASA could not control traffic between the networks like in the first setup.
  • A L3 Switch or router in the LAN acting as the L3 gateway for all the user traffic. Furthermore different LAN/DMZ networks are divided in their own VRFs (own Routing Tables instead of the global routing table). This would enable you to attach each Vlan interface (host gateway) to a specific VRF (routing table) on a single L3 device and therefore separate their traffic and bring it through the ASA (as each VRF could have their own default route and link to the ASA)

There are other options naturally that mix these up with eachother but I would say that the above are the most common ones that I have seen.

But to shortly answer your question again, the configuration you suggest seems to be fine (but perhaps not optimal in the long run)

Hope this helps

- Jouni

View solution in original post

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Are you saying that you only have Vlan 100 on the 3750 and no other Vlans? In that case it would seem fine presuming you have the free ports on the ASA to support this setup.

In the long term its not a good idea since you are going to run out of ASA ports pretty soon (if you do this for many Vlans on multiple switches perhaps). If you have several Vlans which L3 gateway should be on the ASA you would need to have a Trunk to the ASA to conserver ports on the ASA (unless ofcourse some Vlan alone requires a Gigabit link to the ASA with no other Vlans on that link)

The most common problem I see here on the forums related to a setup where there might be a L3 configured 3750 on the internal network and ASA in front of it at the edge of the network is the fact that users have activated routing on the L3 switch and configure Vlan interface (SVI) for their Vlans on the 3750 which are used as gateways for some of the networks and then start expiriencing problems with asymmetric routing with the ASA.

I guess you can avoid such problems by setting up the network in one of these ways

  • A L2 Switch network with different user Vlans which all have their L3 gateway on the ASA. Provided that the ASA models throughput will not be a problems.
  • A L3 Switch or router in the LAN acting as the L3 gateway for all the user traffic. This would naturally mean ASA could not control traffic between the networks like in the first setup.
  • A L3 Switch or router in the LAN acting as the L3 gateway for all the user traffic. Furthermore different LAN/DMZ networks are divided in their own VRFs (own Routing Tables instead of the global routing table). This would enable you to attach each Vlan interface (host gateway) to a specific VRF (routing table) on a single L3 device and therefore separate their traffic and bring it through the ASA (as each VRF could have their own default route and link to the ASA)

There are other options naturally that mix these up with eachother but I would say that the above are the most common ones that I have seen.

But to shortly answer your question again, the configuration you suggest seems to be fine (but perhaps not optimal in the long run)

Hope this helps

- Jouni

Review Cisco Networking for a $25 gift card