08-25-2013 10:59 PM - edited 03-11-2019 07:30 PM
Hi,
Is the following configuration correct on an asa:
interface GigabitEthernet0/0
nameif apps
security-level 50
ip address 192.168.106.1 255.255.255.0
!
interface GigabitEthernet0/0.109
vlan 109
nameif test
security-level 51
ip address 192.168.109.1 255.255.255.224
Current Network ( 192.168.109.0/24 ) -> Current ASA -> Current Switch -> New ASA -> Application VLANS
Current Network is connected to the New Network ( Applications Vlans ) using a link between Current Switch & New ASA as 192.168.106.1 on current ASA and 192.168.106.2 on the New ASA. Routing for traffic from Application Vlans and Current Network is accordingly added using default and static routes.
The network 192.168.106.0/24 also has some users who will access the Application vlans.
Users in current network will use 192.168.106.1 as their gateway.
Will these configuration work? Appreciate if folks could point out anything that seeems incorrect or better thing to be done here.
Thanks in advance
Solved! Go to Solution.
08-27-2013 03:17 AM
No, there won't be any functional problem. Your way (native VLAN) combined with additional things like misconfiguration on the switch can lead to security-problems like VLAN-hopping. That's the reason that using the native VLAN is not a best practice.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-26-2013 12:13 AM
The config will work, why not? You'd have to have same-security-traffic permit intra-interface on the current ASA, for traffic to be able to hairpin through gig0/0 interface. And surely, you'd have to add all nesessary ACL rules, needed for applications you work with, on both ASAs.
Config for subinterface on ASA is ok. Switchport to Gig0/0 should be setup as a trunk with vlans 0 and 109 allowed.
08-26-2013 03:52 AM
Your config will work, but is not the recommended way to configure it. On a security-device it is not best practice to use the native vlan. A better way to configure ist would be the following:
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
! only set speed and duplex here
!
interface GigabitEthernet0/0.106
vlan 106
nameif apps
security-level 50
ip address 192.168.106.1 255.255.255.0
!
interface GigabitEthernet0/0.109
vlan 109
nameif test
security-level 51
ip address 192.168.109.1 255.255.255.224
On the switch you need to allow VLan 106 and VLan 109 and make sure that the network 192.168.106.0 is migrated to vlan106.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2013 02:25 AM
Thanks for the reply.
if i just leave the interface this way for vlan 106, what possible effects will it cause?
will the return traffic for this segment have problems.
interface GigabitEthernet0/0
nameif apps
security-level 50
ip address 192.168.106.1 255.255.255.0
08-27-2013 03:17 AM
No, there won't be any functional problem. Your way (native VLAN) combined with additional things like misconfiguration on the switch can lead to security-problems like VLAN-hopping. That's the reason that using the native VLAN is not a best practice.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide