10-12-2015 05:54 PM - edited 03-11-2019 11:44 PM
Hi everyone,
I have two firewall ASA 5585X deployed in transparent mode and two catalyst 6500 VSS (core switches). I want to redirect traffic from core switches to ASA. How can i do ? I have many VLANs on core switches. Thank you./.
Solved! Go to Solution.
10-13-2015 09:12 PM
Hi Tran,
You needs to create multiple virtual interfaces for inside/outisde vlans.
Dont make both port as single trunk. You should use dedicate ports for incoming and outgoing traffic. below is example how you can permit multiple vlans using 2 ports. Attaching design for your reference:
Config Example:
Inside Interfaces for all required Vlans (10,20,30...)
Note: These Vlans(10,20,30...) should be configure as L2 inside vlans for host connectivity.
interface TenGigabitEthernet0/0
no nameif
no security-level
interface TenGigabitEthernet0/0.10
vlan 10
nameif inside1
bridge-group 1
security-level xx
interface TenGigabitEthernet0/0.20
vlan 20
nameif inside2
bridge-group 2
security-level xx
interface TenGigabitEthernet0/0.30
vlan 30
nameif inside3
bridge-group 3
security-level xx
Outside Interfaces for all required Vlans (100,200,300...)
note:These outside Vlans (100,200,300...) will be configured with L3 SVI on Core Switch
interface TenGigabitEthernet0/1
no nameif
no security-level
interface TenGigabitEthernet0/1.100
vlan 100
nameif outside1
bridge-group 1
security-level xx
interface TenGigabitEthernet0/1.200
vlan 200
nameif outside2
bridge-group 2
security-level xx
interface TenGigabitEthernet0/1.300
vlan 300
nameif outside3
bridge-group 3
security-level xx
BVI Interface config for all the allowed Vlans (100,200,300)
interface BVI1
ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10
interface BVI2
ip address 192.168.20.9 255.255.255.0 standby 192.168.20.10
interface BVI3
ip address 192.168.30.9 255.255.255.0 standby 192.168.30.10
Thanks
Rajneesh
10-13-2015 01:23 AM
a có biết NAT DNS trên ASA ko ạ???
10-13-2015 11:50 AM
Hi Tran,
In transparent mode of Firewall, you needs to create bridge groups to the vlans at both (in/out) side of firewall.
Example: Configuration on Inside/outside interfaces:
interface TenGigabitEthernet0/6
vlan 20
nameif inside
bridge-group 1
security-level 100
interface TenGigabitEthernet0/7
vlan 30
nameif outside
bridge-group 1
security-level 0
Now please configure "BVI" interface with one IP from the same IP Subnet for which you want to pass traffic through firewall:
interface BVI1
ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10 (any free IP can be assigned from subnet)
Now, please allow interested traffic on ouside Interface via access-list. This will redirect traffic through transparent firewall.
10-13-2015 12:33 PM
Thank you for your answer,
Let i show you a picture that describes my problem. I have core switches with many VLANs (10,20,30 for example) and i have just purchased 2 ASA 5585X witch 2 port 10Gb. I will connect it to core switches by using trunk links. I want to know how to redirect traffic to ASA with 2 ports and many VLANS. With the solution you suggest i must have many ports :)
10-13-2015 09:12 PM
Hi Tran,
You needs to create multiple virtual interfaces for inside/outisde vlans.
Dont make both port as single trunk. You should use dedicate ports for incoming and outgoing traffic. below is example how you can permit multiple vlans using 2 ports. Attaching design for your reference:
Config Example:
Inside Interfaces for all required Vlans (10,20,30...)
Note: These Vlans(10,20,30...) should be configure as L2 inside vlans for host connectivity.
interface TenGigabitEthernet0/0
no nameif
no security-level
interface TenGigabitEthernet0/0.10
vlan 10
nameif inside1
bridge-group 1
security-level xx
interface TenGigabitEthernet0/0.20
vlan 20
nameif inside2
bridge-group 2
security-level xx
interface TenGigabitEthernet0/0.30
vlan 30
nameif inside3
bridge-group 3
security-level xx
Outside Interfaces for all required Vlans (100,200,300...)
note:These outside Vlans (100,200,300...) will be configured with L3 SVI on Core Switch
interface TenGigabitEthernet0/1
no nameif
no security-level
interface TenGigabitEthernet0/1.100
vlan 100
nameif outside1
bridge-group 1
security-level xx
interface TenGigabitEthernet0/1.200
vlan 200
nameif outside2
bridge-group 2
security-level xx
interface TenGigabitEthernet0/1.300
vlan 300
nameif outside3
bridge-group 3
security-level xx
BVI Interface config for all the allowed Vlans (100,200,300)
interface BVI1
ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10
interface BVI2
ip address 192.168.20.9 255.255.255.0 standby 192.168.20.10
interface BVI3
ip address 192.168.30.9 255.255.255.0 standby 192.168.30.10
Thanks
Rajneesh
10-14-2015 07:45 AM
Thank you Rajneesh!
10-19-2015 12:06 PM
Hi Tran Van,
I have the same configurations but I can't to do PING between different Vlans only can to do PING between the same network or the same vlan.
Regards,
10-20-2015 01:09 AM
Hi jrgonzalezz,
Please check your core switches because it performs routing ;)
10-13-2015 09:27 PM
When you say "redirect", what do you mean? Do you want to use the ASA as your client gateway? What role do you want the ASAs to perform? Do you want specific access policies for each VLAN? Please explain?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide