08-21-2012 03:06 PM - edited 03-11-2019 04:44 PM
ASA's G0/2 interface is connected to G0/1 interface of a 3560G switch in DMZ, below is the config and diagram
ASA config
interface GigabitEthernet0/2
description DMZ
nameif dmz
security-level 90
ip address 192.168.0.1 255.255.255.0
Switch Config
int g0/1
switchport mode trunk
switchport trunk encapsulation dot1q
int vlan 1
ip add 192.168.0.100 255.255.255.0
We are running out of IPs in 192.168.0.X network and planning on creating subinterfaces on the ASA and trunk it to the switch so that we can have multiple VLANs in DMZ. Tried the below config in LAB but that didn't work, can you have a look at it and let me know if I miss anything.
No change on the switch config since G0/1 is already a trunk port.
ASA Config
interface GigabitEthernet0/2
description Trunk to DMZ networks
no nameif dmz
no security-level 90
no ip address 192.168.0.1 255.255.255.0
interface GigabitEthernet0/2.1
description DMZ
vlan 1
nameif dmz
security-level 90
ip address 192.168.0.1 255.255.255.0
interface GigabitEthernet0/2.100
description NEW-DMZ
vlan 100
nameif NEW-dmz
security-level 90
ip address 192.168.100.1 255.255.252.0
If I change the VLAN on the switch from 1 to a different VLAN, say VLAN 50 for example, and configure the ASA accrodingly its working fine.
Siddhartha
Solved! Go to Solution.
08-22-2012 09:48 AM
Hello Sidd,
Can you change the native vlan on the trunk as 1 is the default
interface G0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
no spanning-tree portfast ( I do not recommend this command at all unless you are connecting it to a server and I still will not use it)
Regards,
Julio
08-21-2012 04:36 PM
Hello Sidd,
So if you do "sh run interface" you do not see any configuration on the physical interface of the ASA, only on it's interfaces.
Please let me know that,
Regards,
Julio
08-22-2012 08:20 AM
Hi Julio,
Thanks for the reply. Yes you are right, no config on the physcial inteface only on the sub interfaces. Below are the sh runs from the firewall and the switch
ASA
interface GigabitEthernet0/2
description Trunk to DMZ networks
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
description DMZ
vlan 1
nameif dmz
security-level 90
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2.100
description NEW-DMZ
vlan 100
nameif NEW-dmz
security-level 90
ip address 192.168.100.1 255.255.252.0
Switch
!
interface G0/1
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
end
DMZ-A#sh run int vlan 1
Building configuration...
Current configuration : 63 bytes
!
interface Vlan1
ip address 192.168.0.100 255.255.255.0
end
DMZ-A#sh run int vlan 100
Building configuration...
Current configuration : 67 bytes
!
interface Vlan100
ip address 192.168.100.100 255.255.252.0
end
only VLAN1 is not working, VLAN100 is working fine. I configured VLAN 100 on the switch and was able to ping the VLAN 100 ip(192.168.100.100) from the ASA but can't ping VLAN 1 IP
ASA/# ping 192.168.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
ASA# ping 192.168.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Siddhartha
08-22-2012 09:48 AM
Hello Sidd,
Can you change the native vlan on the trunk as 1 is the default
interface G0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
no spanning-tree portfast ( I do not recommend this command at all unless you are connecting it to a server and I still will not use it)
Regards,
Julio
08-22-2012 10:04 AM
Thanks Julio. Its working, I missed that part.
Siddhartha
08-22-2012 10:34 AM
Hello Sid,
Sure my pleasure.
If you wanted to allow traffic from the native vlan you will need to have a nameif on the physical interface
Glad I could help.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide