Solved: Re: Connecting ASA to a Switch L3

Carlos Yahir Ramirez Huerta · ‎01-07-2014

Hi,

I have a Cisco ASA and a L3 switch. My question is, what is the diference between these points? :

1. Put an IP Adress directly to the interface switch (giga1/1) where the ASA is connected (Inside)

(ASA interface -> 10.0.0.1/30, SwL3 interface 10.0.0.2/30).

or

2. Assign the interface switch (giga1/1) to a VLAN x and put the IP Address to the interface vlan x

(ASA interface -> 10.0.0.1/30, SwL3 interface "access vlan x", Interface vlan x -> 10.0.0.2/30).

In this SwL3 I have other L3 VLANs like data and servers.

Thaks!!!

.

Jon Marshall · ‎01-08-2014

Carlos

In addition to the other replies and assuming you do not want to firewall between the vlans on the L3 switch the routed link is primarily used when you only have one firewall to connect to. If this is the case it is a bit less config than the vlan solution.

The vlan solution is needed when you have a pair of ASAs in active/standby config because their inside interfaces need to be in the same vlan and there you could not use L3 routed links between the ASAs and the switch.

Jon

View solution in original post

jumora · ‎01-07-2014

If it is a switch I guess that the soul reason to have it is the purpose of having multiple ports and obviously segregating through VLANs, remember that all ports form part of native VLAN 1, as to assigning an IP to a port I´m not sure if you can do it or not as I don´t remember reading that you could or could not but I will tell you that you need to understand what you want to do with the ASA, if you actually add a VLAN to the switch and configure that same network on the ASA you might be causing asymmetrical routing and should be careful or just let one or the other do the routing between VLANS.

Value our effort and rate the assistance!

Marius Gunnerud · ‎01-07-2014

You can assign an IP to a port, you might have to issue the command no switchport under interface configuration mode to be able to do this.

As jumora touches on, one or the other should be doing the routing. If you have an ASA in the mix then the ASA should be doing the routing between security zones as it is also filtering traffic. Allowing the L3 switch to do the routing between the VLANs/Security zones could cause a security risk.

One way of getting around this is to create VRFs on the L3 switch and place the SVIs in seperate VRFs and then have the ASA perform the routing between the VRFs. you could also configure it in such a way that VRFs that belong to the same security zone should be able to route directly to one another without the need of going through the firewall while communication between security zones will be sent through the firewall.

As you can see there are many possibilities, you just need to determine exactly what your needs are.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Jon Marshall · ‎01-08-2014

Carlos

In addition to the other replies and assuming you do not want to firewall between the vlans on the L3 switch the routed link is primarily used when you only have one firewall to connect to. If this is the case it is a bit less config than the vlan solution.

The vlan solution is needed when you have a pair of ASAs in active/standby config because their inside interfaces need to be in the same vlan and there you could not use L3 routed links between the ASAs and the switch.

Jon

Carlos Yahir Ramirez Huerta · ‎01-08-2014

Thanks!!

Sent from Cisco Technical Support iPhone App