Solved: Firewall inside interface with Core

Rizwan · ‎10-06-2015

Hi,

I have nexus core with multiple vlans configured on it. Cisco asa firewall is connected with core using port-channel and trunk.

How can I make all vlans traffic routable on firewall? I will use IP address at port-channel interface? how firewall will handle vlan tags?

Jon Marshall · ‎10-06-2015

Are you running HSRP on the Nexus side ?

If so can you ping the VIP or either of the physical IPs from the ASA ?

Jon

View solution in original post

chris noon · ‎10-06-2015

You will require a sub interface for each VLAN on the firewall, e.g.:

config term

interface portchannel 1.100 >> for vlan 100

encapsulation dot1q 100 >> for vlan 100

ip address [ip address] [mask]

exit

The following document has a more in depth explanation:

http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/14976-50.html

Rizwan · ‎10-06-2015

My core switch is layer-3 then and all inter-vlan routing is done by core. Is there any way to make

to just route traffic to firewall instead of making sub-interface for each vlan at firewall?

chris noon · ‎10-06-2015

Yes, if your core switch is a layer 3 device you could create SVIs on the switch like so:

config term

interface vlan 100 >> for vlan 100

ip address [IP address] [mask]

then apply a default route up to the firewall from the core switch:

ip route 0.0.0.0 0.0.0.0 [interface towards firewall] [firewalls inside IP address]

SVI documentation:

http://www.cisco.com/c/en/us/products/collateral/routers/1800-series-integrated-services-routers-isr/prod_white_paper0900aecd8064c9f4.html

Rizwan · ‎10-06-2015

One more question please, if at core I have port-channel configure with firewall then in default route i will mention port-channel number or physical port interface number [interface towards firewall] ?

chris noon · ‎10-06-2015

I'm confident in saying the port channel interface.

Rizwan · ‎10-06-2015

I am facing following error while configuring default route towards firewall with port-channel interface and physical interface both

% Pin-Interface cannot be a switchport

chris noon · ‎10-06-2015

I will configure it on some lab equipment and let you know... give me some time please.

Rizwan · ‎10-06-2015

Hi Chris

Waiting for your response

Jon Marshall · ‎10-06-2015

If you are routing the vlans on the Nexus switch then you don't need subinterfaces or vlan tags on the firewall.

In which case your default route should use the IP address of the interface on the firewall as the next hop IP.

Jon

Rizwan · ‎10-06-2015

Hi Jon,

I have port-channel (vPC) between nexus and asa, similarly port-channel on firewall side.
I make port-channel interface as inside interface of firewall and assigned IP on it.

Now I make default route on nexus pointing to inside interface of firewall.

ip route 0.0.0.0 0.0.0.0 192.168.200.1

But I am unable to ping 192.168.200.1 from nexus

Jon Marshall · ‎10-06-2015

Are you running HSRP on the Nexus side ?

If so can you ping the VIP or either of the physical IPs from the ASA ?

Jon

Rizwan · ‎10-06-2015

yep, you are right Jon. I am running HSRP on nexus side and unable to ping any IP address VIP or physical IP on nexus from ASA.

How to configure this?

Rizwan · ‎10-06-2015

Hi Jon,

I'm waiting for your response. Thanks

Jon Marshall · ‎10-06-2015

Sorry, thought you had sorted it.

What troubleshooting have you done ie. are the HSRP interfaces up, are the physical interfaces up on all devices, what do the mac address tables show when you try to ping etc.

Jon