Solved: Re: Cisco ASA5506x and Cisco Switch 3750PoE vlan connection?

m-abooali · ‎10-06-2017

Hello good folks,

I have not dealt with this type of Firewalls before and my Firewalling is rusty kind of. I have an small office and am installing:

1- Cisco ASA5506x

2- Cisco L3 Switch 3750 PoE

3- An Access point ( currently in use)

we have a 100 MB ETernet to the Internet.

It seems that there is no way that I can fifure out to connect a trunck from switch to the ASA? I am trying to put FW at te edge facing the provider and Cisco 3750 behind the ASA FW and connect the access pont traffic to the switch using an access-point VALAN (accesspoint)

is my thinking of a trunk between switch and ASA wrong? is teh ASA capable receiving a trunk?

Please advise,

Best REgards,

Masood

Seb Rupik · ‎10-06-2017

Hi there,

Using a ASA 5505-X a trunk interface is acheived with a subinterface. If your trunk link from the 3750 was carrying VLANs 10,20,30 and connected to gi0/1 on the ASA you'd have this config:

!
interface gigabitethernet 0/1.10
  vlan 10
  nameif vlan10
  ip address 10.10.10.254 255.255.255.0
!
interface gigabitethernet 0/1.20
  vlan 20
  nameif vlan20
  ip address 10.10.20.254 255.255.255.0
!
interface gigabitethernet 0/1.30
  vlan 30
  nameif vlan30
  ip address 10.10.30.254 255.255.255.0
!

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-vlan.html

cheers,

Seb.

View solution in original post

Seb Rupik · ‎02-13-2018

Yes, you can create a L3 link between the ASA and 3750. However unless you have an IPServices license for the 3750 you will not be able to run a dynamic IGP (EIGRP/ OSPF) between the devices. This means you will have to configure static routes. Great for the short term, but may not scale very well in the future.

cheers,

Seb.

View solution in original post

m-abooali · ‎10-06-2017

I am replying to myself.

this is how I have tried to connect switch and my vlans to the ASA5506x
This is only example and IPs are not real:

interface Ethernet0/0
no shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/0.48
vlan 48
nameif vlan48
security-level 100
ip address 192.168.48.1 255.255.255.192
!
interface Ethernet0/0.101
vlan 101
nameif vlan101
security-level 100
ip address 192.168.48.66 255.255.255.224

this should have worked based my my knowledge!?

Please advise,

Best Regards,

Masood

Seb Rupik · ‎10-06-2017

Hi there,

Using a ASA 5505-X a trunk interface is acheived with a subinterface. If your trunk link from the 3750 was carrying VLANs 10,20,30 and connected to gi0/1 on the ASA you'd have this config:

!
interface gigabitethernet 0/1.10
  vlan 10
  nameif vlan10
  ip address 10.10.10.254 255.255.255.0
!
interface gigabitethernet 0/1.20
  vlan 20
  nameif vlan20
  ip address 10.10.20.254 255.255.255.0
!
interface gigabitethernet 0/1.30
  vlan 30
  nameif vlan30
  ip address 10.10.30.254 255.255.255.0
!

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-vlan.html

cheers,

Seb.

m-abooali · ‎10-06-2017

Thank you.

I have done that but still having problems. May be cable needs to be cross one?

Best Regards,

Masood

Seb Rupik · ‎10-06-2017

On the ASA, what is the output of:

sh arp

On the 3750:

sh mac add dyn

sh spanning-tree vlan 48

sh spanning-tree vlan 101

m-abooali · ‎10-06-2017

Thanks,

I will get those cmds output and will post them.

Best Regards,

Masood

m-abooali · ‎10-06-2017

Thank you,

I was going through the document you provied a link for and I see the following: what secondary means in this case? I remember back in the days we used to use " secondary" under a router's sub-interface but does it means the same here?

I have only three vlans:

access-point vlan

guest vlan

managmet and normal users vlan.

Best Regards,

Masood

no vlan 200 secondary 503
show running-config interface gigabitethernet0/6.200
!
interface GigabitEthernet0/6.200
 vlan 200 secondary 500 600-700
 no nameif
 no security-level
 no ip address

Florin Barhala · ‎03-16-2018

I admit I also didn't know the meaning of secondary key word for vlans on ASA.
Here's what I found on the config guide

Specify the VLAN for the subinterface:
vlan vlan_id [secondary vlan_range]

Example:

ciscoasa(config-subif)# vlan 101 secondary 52 64,66-74

The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.

The secondary VLANs can be separated by spaces, commas, and dashes (for a contiguous range). When the ASA receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.

You cannot assign the same VLAN to multiple subinterfaces. You cannot assign a VLAN to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the ASA changes the old ID. To remove some secondary VLANs from the list, you can use the no command and only list the VLANs to remove. You can only selectively remove listed VLANs; you cannot remove a single VLAN in a range, for example.

m-abooali · ‎03-16-2018

Hi,

I think, its like we could attach a secondary gateway P address to a router Interface, these secondary VLANS are VLANS other than VLAN 101 that are allowed to pass through this interface.

Regards,

Masood

m-abooali · ‎02-13-2018

Thank you. I am sorry for the delay as project was halted for a time. it has started now. question, can I just connect using IPs at both side - only L3 connections instead of trunks and sub-ints?

Regards,

Masood

Seb Rupik · ‎02-13-2018

Yes, you can create a L3 link between the ASA and 3750. However unless you have an IPServices license for the 3750 you will not be able to run a dynamic IGP (EIGRP/ OSPF) between the devices. This means you will have to configure static routes. Great for the short term, but may not scale very well in the future.

cheers,

Seb.

m-abooali · ‎02-14-2018

Thank you Seb. I have a new discussion as i got stuck connecting a linksysE4500 wireless router to my Cisco 3750 PoE switch. Protocole or rbeidge issues i am assuming. Thanks for the response. Yes, EIGRP makes it much easier.

bninfosec · ‎03-15-2018

Hi, I"m curious what was the last solution you got in this scenario? I meant connecting the 5506x to the 3750PoE. Do you mind to share config (of course not real IP and credential)? Thanks much

m-abooali · ‎03-15-2018

Hi,

Altho the 3750 is installed and operational but the ASA 5506x has not yet been installed. I am working on the details as none info has been available to me.

Will respond when its done. Thanks for writing to me on this.

Regards,

Masood