03-05-2010 08:41 AM - edited 03-11-2019 10:18 AM
Hi
I really need someones help with this I am a bit stumped.
We recently purchased a new internet link. The ISP has provided their own equipment which we dont have access to.
On this equipment they have created two Vlans. One for internet traffic and one for an extended WAN to another location. The internet link is on VLan 183 on their equipment.
The advised me to connected a Layer 2 Switch directly to the port they had configured VLan 183 on. On the switch I created my own VLan also called 183, trunked it and added a few local switch ports to this Vlan. If I connect my laptop into one of the ports assigned to my Vlan and set my laptops IP to the static information provided by the ISP I can surf the net.
I now need to hook my ASA up to this switch. I need my outside interface to point to the following
ip - 77.75.100.194
mask 255.255.255.252
gateway 77.75.100.193
My inside interface to
10.255.251.211
255.255.0.0
I need all traffic on the 10.255.0.0 network to be able to use this new internet link
I suppose Im just really confused about how I link the ASA up with the Vlan'd switch.
In the past I have always hooked the ASA up direct to whatever router was provided but the VLAN in the middle is confusing me. Also I have only ever used 5510's and the 5505 seems slightly different.
If someone could point me in the right direction I would really appreciate it!
Thank you!!
Solved! Go to Solution.
03-08-2010 10:27 AM
Seems like you need to configured vlan 183 and move the config from vlan2 to vlan183.
interface Vlan183
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 183
Pls. double check the trunk config and the vlan and see which one it is supposed to be.
-KS
03-05-2010 09:03 AM
I can certainly understand the confusion when it comes to ASA5505 and vlans. Once you do it once, you will realize how easy it is.
Here is a link with a sample config: http://ezinearticles.com/?Basic-Configuration-Tutorial-For-the-Cisco-ASA-5505-Firewall&id=1681858
You create a layer 3 interface for outside vlan
you create a layer 3 interface for inside vlan
configure one port on outside vlan
configure other ports on inside vlan (by default it will be in vlan1)
now, it is just like a asa5510. The nameif and security lines go under the "int vlan
-KS
03-05-2010 09:07 AM
You are a life saver! I'll give that a try Monday when I'm back in the office!
Thanks again for your help!
03-08-2010 04:23 AM
03-08-2010 06:43 AM
The config looks correct.
Are you able to ping xx.xx.xx.xx ?
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
Are you able to ping xx.xx.xx.xx??
I hope ip address in vlan2 and the default route are not the same IP address.
Ping the outside default gw from the firewall and collect captures and see what they say.
cap capout int outside match icmp any any
sh cap capout
check the logs as well
conf t
logging on
logging buffered 7
sh logg | i x.x.x.x
where x.x.x.x is the host that is try to go to the internet.
-KS
03-08-2010 08:45 AM
Hi
I can ping the following
VLAN2
IP Address xx.xx.xx.xx 255.255.255.252
I can't ping the default gateway route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
The IP Address used in VLAN2 and the default gateway are different, both provided by the ISP.
The thing is, if I hook my laptop up direct to the Switch and statically assign it the IP, Gateway and DNS from ISP I have full internet access. There just seems to be an issue with the ASA and the trunked 802.1q switch port. (which works fine with the laptop)
I have attached the log from when I pinged the VLAN2 address from the firewall.
Thanks again!
03-08-2010 10:27 AM
Seems like you need to configured vlan 183 and move the config from vlan2 to vlan183.
interface Vlan183
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 183
Pls. double check the trunk config and the vlan and see which one it is supposed to be.
-KS
03-09-2010 03:23 AM
Its working!!!
Thanks a mil for all your help.
Changing the VLAN to VLAN 183 did the trick!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide