09-25-2008 09:43 PM - edited 03-11-2019 06:49 AM
Hi, Currently we have two sites which are connected via STS IP Sec Tunnel and using Cisco ASA 5505. By default three zones are created:-
1) DMZ
2) Inside
3) Outside
Inside and DMZ are a part of V-lan 1 and outside is V-lan2. We have make exempted rule for communication between Inside and DMZ and added other remote local network also.
Now we have decided to make seperate V-lans for Inside and DMZ of eack site. Just want to know do we need any additional change in the configuration for communication among V-lans locally and remotely. Thanks
Solved! Go to Solution.
09-26-2008 04:37 AM
hi Andrew
i think the routing between vlans from security prespective should be done through the firewall right ?
Ray
u have now inside in vlan and dmz in other vlan
if u make the intervlan routing on a switch then the comunication between dmz and inside will baypass the firewall not secure
however if u dont make SVIs as Andrew mentioned amd just make the switch pass L2 traffic to the firewall interface
and the firewall interface IP address should be the defual gateway for each host i the corsponding vlan
this way the firewall will handel the communication between VLANs
and take care of the requrment of NATing and ACL
good luck
if helpful Rate
09-26-2008 05:19 PM
ok i will explain both :)
first one
lets say we have two internal vlans
vlan 10 10.1.1.0/24
vlan 20 20.1.1.0/24
and the scenario like
access_switch with two vlan 10,20---L3 switch---ASA--internet--
ok
now lets consider the first way which is intervaln on the switch
i will creat third valn for the port connected from L3 switch and ASA called vlan 50
and the ASA ip is 50.1.1.1
now on the access switchs only make L2 vlans like
vlan 10
vlan 20
and the link between L2 switch and L3 switch is trunk
on L3 switch we need to creat L2 and L3 vlans
like:
vlan 10
interface vlan 10
ip address 10.1.1.1 255.255.255.0
no shut
vlan 20
interface vlan 20
ip address 20.1.1.1 255.255.255.0
no shut
vlan 50
interface vlan 50
ip address 50.1.1.2 255.255.255.0
no shut
now enable ip routing on L3 switch
ip routing
now make the port with ASA as acces port and put it in valn 50
now creat a defualt route point to ASA inside IP
ip route 0.0.0.0 0.0.0.0 5.1.1.1
if u do show ip route
u will see all VLANs interfaces as directly connected and defualt static route to the ASA
on ASA u need two route for internal networks through vlan50 interface
like
route inside 10.1.1.0 255.255.255.0 50.1.1.2
route inside 20.1.1.0 255.255.255.0 50.1.1.2
route outisde 0.0.0.0 0.0.0.0 interface [outisde interface]
nat (inside) 1 0 0
global (outisde) 1 interface
the defualt gateway for hosts in vlan 10 wil be 10.1.1.1
in vlan 20 will be 20.1.1.1
OR...:
dont make the VLAN interface on the L3 switch only L2 vlans and on the switch creat trunk port to the ASA and on ASA creat two subinterfaces each one in corsponding vlan like vlan 10 and vlan 20 and the same IP addressing
or
on the L3 switch
create make two access ports each one in a vlan that u have like one 10 and the other 20
and connect the access ports to diffrent physical por on ASA
now each vlan has its own interface or subinterface
both works and in both ways each ASA interface will have IP in this case this IP will be the defual gateway for the hosts in the corsponding vlan
thus the communication will be through ASA
u need only the route be done on the ASA
as we have done above each netwrok through the right interface and good luck u need ACLs as well from lower security to hgiher security interface communications
if helpful Rate
09-27-2008 12:38 AM
SVI means switch virtual interface
like
interface vlan 10
ip address x.x.x.x
i meant if u have SVIs the communication will be through the L3 switch between vlans
and traffic from those vlans to outside will be through ASA
host in vlan 10 will sent packet to it is defualt gateway IP which is vlan 10 SVI on L3 switch
we have routing enabled and we have defualt route point to ASA IP which is in vlan 50 then the L3 will route the traffic to vlan 50 then ASA inside interface
hope this helpful
if helpful Rate
09-26-2008 12:01 AM
Ray,
No - as long as the VLAN's are sperate from each other - and the ASA has an interface in each of the VLAN's, you only need to allow traffic thru the ASA.
HTH>
09-26-2008 12:36 AM
Would same exempted rule applicable for V-lan communication or it requires ip routing command like as a l3 switch configuration?
09-26-2008 01:01 AM
Ray - here is what I mean:-
Firewall Outside interface in a vlan with NO SVI Layer 3 interface on the switch
Firewall DMZ interface in a vlan with NO SVI Layer 3 interface on the switch
Firewall Inside interface in a vlan with SVI Layer 3 interface on the switch.
Then all other VLAN SVI's will communicate inter-vlan on the inside.
HTH>
09-26-2008 01:03 AM
Sorry, I didn't understand properly. Request you to please mention in more details. Thanks
09-26-2008 01:18 AM
The outside vlan - does NOT have an ip address on the switch, it just passes traffic at layer 2.
The DMZ VLAN does not have an IP address on the switch, it just passes traffic at layer 2.
The Inside VLAN does have an IP address on the switch - the inside VLAN does pass traffic at layer 3 to the internal network.
HTH>
09-26-2008 04:37 AM
hi Andrew
i think the routing between vlans from security prespective should be done through the firewall right ?
Ray
u have now inside in vlan and dmz in other vlan
if u make the intervlan routing on a switch then the comunication between dmz and inside will baypass the firewall not secure
however if u dont make SVIs as Andrew mentioned amd just make the switch pass L2 traffic to the firewall interface
and the firewall interface IP address should be the defual gateway for each host i the corsponding vlan
this way the firewall will handel the communication between VLANs
and take care of the requrment of NATing and ACL
good luck
if helpful Rate
09-26-2008 04:51 AM
if u make the intervlan routing on a switch then the comunication between dmz and inside will baypass the firewall not secure :- Will the comunication secure between the V-lans through the FW. Thanks
09-26-2008 04:53 AM
Correct.
09-26-2008 04:54 AM
yep - correct
09-26-2008 05:08 AM
May I know why its not secured while configuring on switch.
Another Query : If I configure three different V-lans like 100,200,300 on a L3 switch and add one interface for each V-lan and assign IP address which would be the gateway of client machines and switch is connected with FW and we are using STS Tunnel. Now I want the remote machines of other sites communicate with my all local V-lans. What wud be the process. Thanks
09-26-2008 05:11 AM
If you have layer 3 interfaces in those vlans, the IP traffic will bypass the firewall all together.
09-26-2008 05:23 AM
Do we require to make sub interfaces on FW as it will bypass all network traffic for remote nodes. Please suggest?
09-26-2008 05:25 AM
Ray - this is off this topic.
What is it you are asking now?
09-26-2008 05:40 AM
hi guys
ray
u can do it in diffrent ways first of all u need to know what u wana acieve
do u want the communication between vlans pass through the switch and the firewall do firewalling between ur internal networks and outside and remote site network
or u want the communication between vlans be firewalled and routed by the firewall as well
once u decide which method u wanna use then we can guid u easier
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide