02-27-2018 04:13 PM - edited 03-05-2019 10:00 AM
Hi all,
I am trying to connect my Asa5508-x to my Cisco 4331 router which then I would like to connect to my Cisco SG550X-24MP switch, which I would like devices to be able to get out onto the internet. If I remember right, its been a while, was it the BDI or BVI command that could allow 2 interfaces on the same subnet? As of now I have listed below of what my end goal is.
Asa interface 3 10.0.0.1 /24 >Router gigeth0/0 10.0.0.2 /24 gigeth0/1 no ip >Switch 192.168.1.150 /24
Solved! Go to Solution.
02-27-2018 05:58 PM - edited 02-27-2018 05:59 PM
Hi
Just a question, the router is being used for other purposes, because you could remove it and connect the ASA to the Switch only.
Now if you are going to work with: ISP - ASA - Router- Switch, you must:
Configure on ASA
- NAT
- Default route pointing to the ISP
- static routes pointing to the Router to know the internal networks
- ACLs
- Configure the public IP under the interface facing to the ISP and set up the nameif and security levels on the specific interfaces. For the OUTSIDE interface it should have a security level of zero, and 100 for the INTERNAL interface.
Configure on the Router
- Default route pointing to the Firewall
- Create the networks for the users
- If you are going to use Router-in-a-stick scheme, create the sub-interfaces from the physical interface connected to the Switch.
Configure on the Switch
- Create the VLANs for the users
- Configure as trunk the interface connected to the Router and allow to pass the VLANs over the trunk.
- Configure the switchports for the users.
Configure on the computers
- Verify if the computers are configured over the proper VLAN with its proper IP/Subnet mask and default gateway (it will be the IP of the sub-interface on the router)
- Verify DNS servers.
Now I have the question about why you could require BVI on this scheme?
Hope it is useful
:-)
02-27-2018 05:58 PM - edited 02-27-2018 05:59 PM
Hi
Just a question, the router is being used for other purposes, because you could remove it and connect the ASA to the Switch only.
Now if you are going to work with: ISP - ASA - Router- Switch, you must:
Configure on ASA
- NAT
- Default route pointing to the ISP
- static routes pointing to the Router to know the internal networks
- ACLs
- Configure the public IP under the interface facing to the ISP and set up the nameif and security levels on the specific interfaces. For the OUTSIDE interface it should have a security level of zero, and 100 for the INTERNAL interface.
Configure on the Router
- Default route pointing to the Firewall
- Create the networks for the users
- If you are going to use Router-in-a-stick scheme, create the sub-interfaces from the physical interface connected to the Switch.
Configure on the Switch
- Create the VLANs for the users
- Configure as trunk the interface connected to the Router and allow to pass the VLANs over the trunk.
- Configure the switchports for the users.
Configure on the computers
- Verify if the computers are configured over the proper VLAN with its proper IP/Subnet mask and default gateway (it will be the IP of the sub-interface on the router)
- Verify DNS servers.
Now I have the question about why you could require BVI on this scheme?
Hope it is useful
:-)
02-28-2018 08:42 AM
There is a possibility of opening up another site and linking them together, but as of now they are focused on one site which is why I was thinking bridging. Maybe I am confusing it with something else, it has been a while since I have had to use some of these commands.
Thanks for the help,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide