12-03-2009 11:15 AM - edited 03-11-2019 09:45 AM
Hi all,
I will be setting up a LAN(PCs and Laptops) at a customter's site. The customer offered to provide me with connections on their core switch on a separate VLAN. I will setup an Cisco ASA5505 on the edge connected to router. So, here is the toplogy:
PC to Customer's Core Switch (VLAN125)
ASA int E0/1 VLAN1 to Customer's Core Switch (VLAN125)
I would like to know if this configuration would work. Also, can I ping from the PC to the global int (E0/0 VLAN2) and LAN int of the router which has a public IP address?
Thanks,
sK
Solved! Go to Solution.
12-03-2009 01:03 PM
Sadik,
The topology isnt' clear. Pls. clarify.
Which is E0/0 vlan2?
PC--vlan125--swtich---vlan1--ASA-vlan2--Router--internet
You are asking if you can ping from the PC to the ASA's vlan2 interface? If so the answer is NO.
But you can ping from the PC to the Router's vlan2 interface.
The reason is you can only ping the closest interface to your client. You canno ping the far side interface of the firewall.
-KS
12-03-2009 01:03 PM
Sadik,
The topology isnt' clear. Pls. clarify.
Which is E0/0 vlan2?
PC--vlan125--swtich---vlan1--ASA-vlan2--Router--internet
You are asking if you can ping from the PC to the ASA's vlan2 interface? If so the answer is NO.
But you can ping from the PC to the Router's vlan2 interface.
The reason is you can only ping the closest interface to your client. You canno ping the far side interface of the firewall.
-KS
12-03-2009 01:45 PM
Sorry if I wasn't clear.
Here is the clarificaiton:
PC plugged into VLAN125 of customer's Switch
Inside Interface E0/1 (VLAN1) on the ASA plugged into the VLAN125 of customer's switch
Global Interface E0/0(VLAN2) on the ASA plugged into the router (FA0/0)
Router S0/0 connects to Internet
So, the question is if I ping the ASA Inside interface from the PC, would this work? And also, let's say PC IP is 172.16.2.100 and Inside ASA int E0/1 VLAN1 IP is 172.16.2.1.
Thanks in advance,
sK
12-03-2009 02:39 PM
As long as the switch can route between blan125 and vlan1 you should be able to ping from the pc to vlan 1(inside).
The ASA will not let you ping vlan2 though from the pc.
I hope it helps.
PK
12-03-2009 03:15 PM
Thanks for the repoly.
I am not sure if the customer would enable that; however, as a solution, should I create a matching VLAN, VLAN125, on the inside ASA interface so routing wouldn't required?
Thanks in adavance,
sK
12-03-2009 03:24 PM
sadik.bash wrote:
Sorry if I wasn't clear.
Here is the clarificaiton:
PC plugged into VLAN125 of customer's Switch
Inside Interface E0/1 (VLAN1) on the ASA plugged into the VLAN125 of customer's switch
Global Interface E0/0(VLAN2) on the ASA plugged into the router (FA0/0)
Router S0/0 connects to Internet
So, the question is if I ping the ASA Inside interface from the PC, would this work? And also, let's say PC IP is 172.16.2.100 and Inside ASA int E0/1 VLAN1 IP is 172.16.2.1.
Thanks in advance,
sK
sK
It's not clear what you mean when you say "Inside interface E0/1 (VLAN1) on ASA plugged into vlan 125 of customer switch"
If the interface is connected to a port on the switch that is configured to be in vlan 125 then the ASA interface is not in vlan 1 at all but vlan 125.
So as long as the PC and the ASA connect to ports configured as vlan 125 and the PC and ASA have an IP address from the same subnet then you will not need routing.
Jon
12-03-2009 03:43 PM
Thanks to all for your assistance.
SK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide