12-04-2013 04:02 PM - edited 03-11-2019 08:13 PM
Hi,
We have a set of users on the cisco 3750 switch. This needs to be connected to an asa where the gateway resides.
I am bit confused on the connection configuration between asa & 3750.
Should i just configure a port on 3750 to vlan 100 & physically connect it to an interface on the asa , while the asa interface gets the layer 3 ip address.
3750:-
int gig1/0/1
des Connection to ASA
switch mode access
switch access vlan 100
ASA:-
interface GigabitEthernet0/1
nameif LINK1
security-level 100
ip address 172.30.10.1 255.255.255.0
Is the above correct? What else would i need to do if the users connected to 3750 need access via the ASA.
Thanks in advance.
Solved! Go to Solution.
12-05-2013 12:14 AM
Hi,
Are you saying that you only have Vlan 100 on the 3750 and no other Vlans? In that case it would seem fine presuming you have the free ports on the ASA to support this setup.
In the long term its not a good idea since you are going to run out of ASA ports pretty soon (if you do this for many Vlans on multiple switches perhaps). If you have several Vlans which L3 gateway should be on the ASA you would need to have a Trunk to the ASA to conserver ports on the ASA (unless ofcourse some Vlan alone requires a Gigabit link to the ASA with no other Vlans on that link)
The most common problem I see here on the forums related to a setup where there might be a L3 configured 3750 on the internal network and ASA in front of it at the edge of the network is the fact that users have activated routing on the L3 switch and configure Vlan interface (SVI) for their Vlans on the 3750 which are used as gateways for some of the networks and then start expiriencing problems with asymmetric routing with the ASA.
I guess you can avoid such problems by setting up the network in one of these ways
There are other options naturally that mix these up with eachother but I would say that the above are the most common ones that I have seen.
But to shortly answer your question again, the configuration you suggest seems to be fine (but perhaps not optimal in the long run)
Hope this helps
- Jouni
12-05-2013 12:14 AM
Hi,
Are you saying that you only have Vlan 100 on the 3750 and no other Vlans? In that case it would seem fine presuming you have the free ports on the ASA to support this setup.
In the long term its not a good idea since you are going to run out of ASA ports pretty soon (if you do this for many Vlans on multiple switches perhaps). If you have several Vlans which L3 gateway should be on the ASA you would need to have a Trunk to the ASA to conserver ports on the ASA (unless ofcourse some Vlan alone requires a Gigabit link to the ASA with no other Vlans on that link)
The most common problem I see here on the forums related to a setup where there might be a L3 configured 3750 on the internal network and ASA in front of it at the edge of the network is the fact that users have activated routing on the L3 switch and configure Vlan interface (SVI) for their Vlans on the 3750 which are used as gateways for some of the networks and then start expiriencing problems with asymmetric routing with the ASA.
I guess you can avoid such problems by setting up the network in one of these ways
There are other options naturally that mix these up with eachother but I would say that the above are the most common ones that I have seen.
But to shortly answer your question again, the configuration you suggest seems to be fine (but perhaps not optimal in the long run)
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide