- Cisco Community
- Technology and Support
- Security
- Network Security
- ASA5585X-Trunk-Transparent
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA5585X-Trunk-Transparent
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 09:55 AM - edited 03-11-2019 06:02 PM
Dear all
Please help me out.
I want to implement a simple Transparent Scenario on CISCO ASA but I just cant figure out my problem
here is the Scenario:
as you can see in th diagrams, I've connected my asa to a c3750 with a trunk link then I connected ServerA to C3750 with access port invlan 15.
interface Vlan10 is defined on c3750 as serverA GW. ASA is configured in multiple mode and is transparent. asa should make a brdige connection between vlan 10 and 15.
I've done this scenario with GNS3 (ASA8.4.2) but I use the sampe configuration on my ASA5585X (tried with ASA8.4.4 and ASA9.1) but Server cannot reach its GW (SVI on C3750).
I've tried it with 2 different ASA and 2 diffeent C3750 with no luck.
so what am I missing in this configuration?
[URL=http://picturepush.com/public/12218884][IMG]http://www1.picturepush.com/photo/a/12218884/img/12218884.jpg[/IMG][/URL]
[URL=http://picturepush.com/public/12218928][IMG]http://www5.picturepush.com/photo/a/12218928/img/12218928.jpg[/IMG][/URL]
ASA :
ASA-2/VFDB(config)#
ASA-2/VFDB(config)#
ASA-2/VFDB(config)# show run
: Saved
:
ASA Version 9.1(1) <context>
!
firewall transparent
hostname VFDB
enable password **************encrypted
passwd *****************encrypted
names
!
interface BVI1
ip address 172.16.10.100 255.255.255.0
!
interface BVI2
ip address 172.16.20.100 255.255.255.0
!
interface Port-channel1.10
nameif CBOUT
bridge-group 1
security-level 90
!
interface Port-channel1.15
nameif CBIN
bridge-group 1
security-level 100
!
interface Port-channel1.20
nameif OBOUT
bridge-group 2
security-level 90
!
interface Port-channel1.25
nameif OBIN
bridge-group 2
security-level 100
!
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu CBOUT 1500
mtu CBIN 1500
mtu OBOUT 1500
mtu OBIN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
Cryptochecksum:5e98464255a04948707b5f1f51200234
: end
ASA-2/VFDB(config)# $
ASA-2/VFDB(config)#
ASA-2/VFDB(config)#
ASA-2/VFDB(config)#
ASA-2/VFDB(config)#
ASA-2/VFDB(config)#
ASA-2/VFDB(config)# show int ip brie
Interface IP-Address OK? Method Status Protocol
BVI1 172.16.10.100 YES CONFIG up up
BVI2 172.16.20.100 YES CONFIG up up
Port-channel1.10 172.16.10.100 YES unset up up
Port-channel1.15 172.16.10.100 YES unset up up
Port-channel1.20 172.16.20.100 YES unset up up
Port-channel1.25 172.16.20.100 YES unset up up
ASA-2/VFDB(config)#
ASA-2/VFDB(config)#
ASA-2/VFDB(config)# chang sys
ASA-2(config)#
ASA-2(config)# show run
: Saved
:
ASA Version 9.1(1) <system>
!
hostname ASA-2
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0/0
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/1
description VFIN
channel-group 1 mode on
!
interface GigabitEthernet0/2
channel-group 1 mode on
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface Management0/0
!
interface Management0/1
shutdown
!
interface TenGigabitEthernet0/6
shutdown
!
interface TenGigabitEthernet0/7
shutdown
!
interface TenGigabitEthernet0/8
shutdown
!
interface TenGigabitEthernet0/9
shutdown
!
interface GigabitEthernet1/0
shutdown
!
interface GigabitEthernet1/1
shutdown
!
interface GigabitEthernet1/2
shutdown
!
interface GigabitEthernet1/3
shutdown
!
interface GigabitEthernet1/4
shutdown
!
interface GigabitEthernet1/5
shutdown
!
interface TenGigabitEthernet1/6
shutdown
!
interface TenGigabitEthernet1/7
shutdown
!
interface TenGigabitEthernet1/8
shutdown
!
interface TenGigabitEthernet1/9
shutdown
!
interface Port-channel1
!
interface Port-channel1.10
vlan 10
!
interface Port-channel1.15
vlan 15
!
interface Port-channel1.20
vlan 20
!
interface Port-channel1.25
vlan 25
!
class default
limit-resource Mac-addresses 65535
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
pager lines 24
no failover
asdm image disk0:/asdm-711-52_4.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0
!
tls-proxy maximum-session 1000
!
admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg
!
context VFDB
allocate-interface Port-channel1.10
allocate-interface Port-channel1.15
allocate-interface Port-channel1.20
allocate-interface Port-channel1.25
config-url disk0:/VFDB.cfg
!
context VFAPP
config-url disk0:/VFAPP.cfg
!
context VFMNG
config-url disk0:/VFMNG.cfg
!
username admin password ************* encrypted privilege 15
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:********************
: end
ASA-2(config)#
ASA-2(config)#
ASA-2(config)#
ASA-2(config)# show int ip brie
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 172.16.10.2 YES unset down down
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset up up
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Internal-Data0/2 unassigned YES unset up up
Internal-Data0/3 unassigned YES unset up up
Internal-Data0/4 unassigned YES unset up up
Internal-Data0/5 unassigned YES unset up up
Internal-Data0/6 unassigned YES unset up up
Internal-Data0/7 unassigned YES unset up up
Internal-Data0/8 unassigned YES unset up up
Internal-Data0/9 unassigned YES unset up up
Internal-Data0/10 unassigned YES unset up up
Internal-Data0/11 unassigned YES unset up up
Internal-Data0/12 unassigned YES unset up up
Internal-Data0/13 unassigned YES unset up up
Management0/0 unassigned YES unset up up
Management0/1 unassigned YES unset administratively down down
TenGigabitEthernet0/6 unassigned YES unset administratively down down
TenGigabitEthernet0/7 unassigned YES unset administratively down down
TenGigabitEthernet0/8 unassigned YES unset administratively down down
TenGigabitEthernet0/9 unassigned YES unset administratively down down
GigabitEthernet1/0 unassigned YES unset administratively down down
GigabitEthernet1/1 unassigned YES unset administratively down down
GigabitEthernet1/2 unassigned YES unset administratively down down
GigabitEthernet1/3 unassigned YES unset administratively down down
GigabitEthernet1/4 unassigned YES unset administratively down down
GigabitEthernet1/5 unassigned YES unset administratively down down
Internal-Data1/0 unassigned YES unset up up
Internal-Data1/1 unassigned YES unset up up
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/4 unassigned YES unset up up
Internal-Data1/5 unassigned YES unset up up
Internal-Data1/6 unassigned YES unset up up
Internal-Data1/7 unassigned YES unset up up
Internal-Data1/8 unassigned YES unset up up
Internal-Data1/9 unassigned YES unset up up
TenGigabitEthernet1/6 unassigned YES unset administratively down down
TenGigabitEthernet1/7 unassigned YES unset administratively down down
TenGigabitEthernet1/8 unassigned YES unset administratively down down
TenGigabitEthernet1/9 unassigned YES unset administratively down down
Port-channel1 unassigned YES unset up up
Port-channel1.10 unassigned YES unset up up
Port-channel1.15 unassigned YES unset up up
Port-channel1.20 unassigned YES unset up up
Port-channel1.25 unassigned YES unset up up
C3750:
Switch#show run
Building configuration...
Current configuration : 2230 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$ioPo$3hlJHuDvu9RxwQl.1/Zkg1
!
username admin secret 5 $1$hQ60$nsKnsH9C9PJF8Hvc5CcN71
switch 1 provision ws-c3750-24ts
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet1/0/11
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
switchport access vlan 15
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
switchport access vlan 15
spanning-tree portfast
!
interface FastEthernet1/0/24
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
!
interface Vlan15
ip address 10.10.10.100 255.255.255.0
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
!
interface Vlan30
ip address 172.16.30.1 255.255.255.0
!
interface Vlan40
ip address 172.16.40.1 255.255.255.0
!
interface Vlan50
ip address 172.16.50.1 255.255.255.0
!
interface Vlan60
ip address 172.16.60.1 255.255.255.0
!
interface Vlan70
ip address 172.16.70.1 255.255.255.0
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
line vty 0 4
password cisco
login local
line vty 5 15
no login
!
end
Switch#
Switch#
Switch#
Switch#show int statu
Port Name Status Vlan Duplex Speed Type
Fa1/0/1 connected 1 a-full a-100 10/100BaseTX
Fa1/0/2 notconnect 1 auto auto 10/100BaseTX
Fa1/0/3 notconnect 1 auto auto 10/100BaseTX
Fa1/0/4 notconnect 1 auto auto 10/100BaseTX
Fa1/0/5 notconnect 1 auto auto 10/100BaseTX
Fa1/0/6 notconnect 1 auto auto 10/100BaseTX
Fa1/0/7 notconnect 1 auto auto 10/100BaseTX
Fa1/0/8 notconnect 1 auto auto 10/100BaseTX
Fa1/0/9 notconnect 1 auto auto 10/100BaseTX
Fa1/0/10 connected trunk a-full a-100 10/100BaseTX
Fa1/0/11 connected trunk a-full a-100 10/100BaseTX
Fa1/0/12 notconnect 1 auto auto 10/100BaseTX
Fa1/0/13 notconnect 1 auto auto 10/100BaseTX
Fa1/0/14 notconnect 1 auto auto 10/100BaseTX
Fa1/0/15 notconnect 1 auto auto 10/100BaseTX
Fa1/0/16 notconnect 1 auto auto 10/100BaseTX
Fa1/0/17 notconnect 1 auto auto 10/100BaseTX
Fa1/0/18 notconnect 1 auto auto 10/100BaseTX
Fa1/0/19 notconnect 1 auto auto 10/100BaseTX
Fa1/0/20 notconnect 1 auto auto 10/100BaseTX
Fa1/0/21 connected 15 a-full a-100 10/100BaseTX
Port Name Status Vlan Duplex Speed Type
Fa1/0/22 notconnect 1 auto auto 10/100BaseTX
Fa1/0/23 connected 15 a-full a-100 10/100BaseTX
Fa1/0/24 notconnect 1 auto auto 10/100BaseTX
Gi1/0/1 notconnect 1 auto auto Not Present
Gi1/0/2 notconnect 1 auto auto Not Present
Po1 connected trunk a-full a-100
Switch#
Switch#
Switch#
Switch#show int trun
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Port Vlans allowed and active in management domain
Po1 1,10,15,20,30,40,50,60
Port Vlans in spanning tree forwarding state and not pruned
Po1 1,10,15,20,30,40,50,60
Switch#
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2013 09:07 PM
Can you create a more realistic diagram specifing on witch port the asa conects to where on the switch and backwards,
I will be more than glad to help but in order to be a better response we must be more specific,
Regards
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
