Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1586
Views
5
Helpful
2
Replies

ASA with a Cisco C2960-L with multiple vlans and Internet access

Go to solution
kreminator
Level 1
Level 1

‎04-18-2019 05:10 AM - edited ‎02-21-2020 09:03 AM

ASA with a Cisco C2960-L with multiple vlans and Internet access

I got an ASA 5506-X running sw version 9.8 and a security plus license. It has a routed public subnet and a Cisco C2960-L switch connected to it. The switch is L2 only, running IOS LAN Lite. The main purpose here is to have a few vlans on the switch trunked to the ASA for Internet access. NOTE: I want to avoid any kind of inter-vlan routing, keeping the vlans separate. The ASA will provide DHCP for each of the vlans and my intention is to use 1-2 public IPs for each vlan with NAT (a public pool of IPs for each vlan). Deny any incoming traffic on the outside interface, which is the default.


Say I got 3 vlans, each in its own /24 private space like: vlan 10: 10.10.0.0, vlan 20: 10.20.0.0 and vlan 30: 10.30.0.0. I want to set aside some ports for each of those on the switch and run a trunk link to the ASA. As mentioned, I want to avoid any kind of Inter-VLAN routing. This possibly has to be explicitly denied somewhere, not sure if it is better to use some ACLs on the switch or rather deny it on the ASA.


Another issue is the native vlan on both the ASA and the switch. I think a trunk must have a native vlan specified. I may leave it unused, or maybe just use it for management. However, both the ASA and the switch should be accessible for management from certain vlans. Maybe this requires some inter-vlan anyway.


Currently I have done it very simple, and I do not plan or want to use BVIs on the ASA. One interface for outside and one for inside. Only used the CLI on the ASA for configuration and right now it NATs to a single public IP and the switch is unconfigured. I think you can do NAT in several ways on the ASA, both manual or twice NAT. Not entirely sure what may be a clean and good way for vlans. Just a small excerpt from the config:

 

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.40.0.1 255.255.255.0
!
object network obj_any_net
subnet 0.0.0.0 0.0.0.0
object network obj_any_net
nat (inside,outside) dynamic interface
!
dhcpd dns 1.1.1.1
dhcpd address 10.40.0.5-10.40.0.254 inside
dhcpd enable inside
!

 

If someone has a configuration example for the ASA with vlans, and possibly the switch too that could point me in the right direction, it would be great.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-18-2019 06:04 AM

You would sub-interface the trunk interface on the ASA  as below:

 

interface GigabitEthernet1/2
no nameif
no security-level
no ip address
no shut

interface GigabitEthernet1/2.10
nameif inside-10
security-level 100
ip address 10.40.10.1 255.255.255.0

interface GigabitEthernet1/2.20
nameif inside-20
security-level 100
ip address 10.40.20.1 255.255.255.0

interface GigabitEthernet1/2.30
nameif inside-30
security-level 100
ip address 10.40.30.1 255.255.255.0

Each interface would have its own name, so you can reference that in your NAT and Access rules.

 

On the switch, it would be a trunk interface to the ASA's G0/2

 

 

Interface G0/0/1
description to ASA
no shut
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20,30

vlan 10
vlan 20
vlan 30

 

 HTH

View solution in original post

2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-18-2019 06:04 AM

You would sub-interface the trunk interface on the ASA  as below:

 

interface GigabitEthernet1/2
no nameif
no security-level
no ip address
no shut

interface GigabitEthernet1/2.10
nameif inside-10
security-level 100
ip address 10.40.10.1 255.255.255.0

interface GigabitEthernet1/2.20
nameif inside-20
security-level 100
ip address 10.40.20.1 255.255.255.0

interface GigabitEthernet1/2.30
nameif inside-30
security-level 100
ip address 10.40.30.1 255.255.255.0

Each interface would have its own name, so you can reference that in your NAT and Access rules.

 

On the switch, it would be a trunk interface to the ASA's G0/2

 

 

Interface G0/0/1
description to ASA
no shut
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20,30

vlan 10
vlan 20
vlan 30

 

 HTH

Go to solution
kreminator
Level 1
Level 1
In response to Rahul Govindan

‎04-18-2019 07:50 PM

Thanks, this is a start in the right direction. I believe using auto NAT will be sufficient in my case, manual NAT is for more advanced cases, from what I have read. I will create some network objects for the DHCP pool, and I think this should work nicely.

 

I know that the native vlan (in this case vlan 1) will be sent untagged through the trunk, so if I want to use it on th ASA, then Ga1/2 must be configured directly with an IP address. But maybe it is better (or possibly better practice) to leave vlan 1 unconfigured on both sides, and rather make use of a seperate vlan for management and then configure it as a subinterface on the ASA for management?

 

Do I need to do anything special to disallow inter-vlan routing on the ASA? What would be the right way to allow management from a specific vlan? The switch itself will have all ports configured in vlans and is only L2 capable anyway. I guess setting up ACLs on the switch probably to not mean much. Just looking for a clean and simple setup that works well first, then I may add more advanced features later.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card