11-07-2006 10:29 AM - edited 02-21-2020 01:17 AM
Can ASA 5510 do VLAN routing between multiple VLANS?
I have a customer with 2960 48 port switch and ASA 5510. Ideally we want the ASA 5510 to act as a L3 device in addition to firewall.I read the Cisco docs and found out 802.1q VLAN/sub interfaces are supported plus we know ASA supports routing.So i assume it is possible .
Does anyone have practical experience deploying this type of setup ?
11-07-2006 10:58 AM
It supports routing meaning it "talks" RIP/OSPF, but it is not a router. It can do what you want, but the performace may not be what you want. Setup the physical interface as a trunk and create sub-interface under that. See example's below.
interface Ethernet2
description Trunk Only! DO NOT CONFIGURE!!
speed 100
duplex full
no nameif
security-level 10
no ip address
!
interface Ethernet2.55
description WEB DMZ
vlan 55
nameif web
security-level 95
ip address 192.168.252.254 255.255.255.0 standby 192.168.252.253
!
interface Ethernet2.100
description FTP DMZ
vlan 100
nameif ftp
security-level 10
ip address 192.168.247.254 255.255.255.0 standby 192.168.247.253
!
SWITCHPORT CONFIG
interface FastEthernet0/47
description Connection to PIX
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 55,100
switchport mode trunk
duplex full
speed 100
spanning-tree portfast
11-07-2006 12:52 PM
Thank you for the reply.
Hmm, that means traffic from one vlan to another must be inspected by the ASA.Is there any way to bypass the traffic inspection between vlans ? same security level for vlans perhaps ?
11-07-2006 02:15 PM
exactly and check out the command 'same-security-traffic permit inter-interface'
11-08-2006 02:23 AM
That does not work for clear text traffic.As of now only for IPSEC traffic.So the best solution in ur case is the one given above by configuring the sub interface
11-08-2006 05:09 PM
Ok it did not go well.Here is what i did
In ASA 5510 running 7.0
interface Ethernet0/0
duplex full
no nameif
security-level 10
no ip address
!
interface Ethernet0/0.1
description Management VLAN
vlan 1
nameif MGMT
security-level 95
ip address 10.150.10.1 255.255.255.0
!
interface Ethernet0/0.2
description Server VLAN
vlan 2
nameif ftp
security-level 10
ip address 10.150.20.1 255.255.255.0
!
2960 Switch Config
interface G0/44
description Connection to ASA
switchport trunk allowed vlan all
switchport mode trunk
duplex full
speed 100
I checked the trunking was 802.1q since this IOS did not allow "switchport trunk encapsulation dot1q"
I cant ping between vlan 1 and vlan2.
and i did use the same-security permit inter-vlan.
Anything i am missing here ?
Thanks
11-08-2006 06:25 PM
HI .. assuming int g0/44 on your switch is connected to port Ethernet0/0 of the ASA then the config seems Ok HOWEVER, you also need to configure nat and access-list in order to get traffic flow between interfaces. rememmber traffic from higher priority will flow to the lower by default but you aslo need to configure nat / global pairs. TRaffic from lower to higher security will not flow by default. You need to specifically allow this and use static nats for it .. confused ..? a quick example ..
for traffic from VLAN 1 to VLAN2 you need.
nat (MGMT) 1 0 0
global (ftp) 1 interface
access-list Inside_Out extended permit ip any any
access-group Inside_Out in interface MGMT
For traffic from VLAN 2 to VLAN1 you would need
static (MGMT,ftp) x.x.x.x y.y.y.y netmask 255.255.255.255
access-list Outside_In extended permit ip any host x.x.x.x
access-group Outside_In in interface ftp
where x.x.x.x is the IP address you need to reach from the VALN2 and y.y.y.y is the real Ip address of teh device located on the VLAN1
Make sure to enable application inspection by enabling the default global-policy ( disabled by default) otherwise you might find that pings might not work between interfaces
policy-map global-policy
class global-class
inspect sqlnet
inspect h323 ras
inspect xdmcp
inspect tftp
inspect icmp error
inspect rtsp
inspect sunrpc
inspect mgcp
inspect esmtp
inspect netbios
inspect sip
inspect pptp
inspect ctiqbe
inspect snmp
inspect http
inspect icmp
inspect rsh
inspect ftp
inspect ils
inspect h323 h225
inspect dns
inspect skinny
I hope it helps .. please rate if it does !!!
11-09-2006 03:53 AM
Thank you.I will try the chnages today and let you guys know.
I made all three interfaces same security level 100 and used "same-security permit inter-interface".I assume with this approach i dont have to create NAT/access lists But that did not make any differrence.
11-09-2006 06:07 AM
To expand on Fernando's post, istead of creating NAT's and globals, it might be easier to move the traffic using what I call subnet statics, such as-
static (inside,dmz) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide