Solved: Hi Jon,

Marcus Peck · ‎10-28-2015

Hi,

I have an issue getting a different VLAN to communicate to another VLAN via a transparent firewall. Below is my scenario:

Access_SW1 --> Core_SW --> Transparent_ASA --> Access_SW2

The Access_SW1 is configured with VLAN 10 & 20 and the Access_SW2 is configured with VLAN 30 & 40. The Core_SW is configured with OSPF with VLAN 10, 20, 30 & 40 in the same area with VLAN 10, 20, 30 & 40 as gateways for each respective VLAN. The transparent_FW is configured with subinterfaces with only 1 physical link to the Core_SW and 1 physical link to the Access_SW2.

Below is the VLAN network config:

VLAN 10 = 192.168.10.1/24

VLAN 20 = 192.168.20.1/24

VLAN 30 = 192.168.10.100/24

VLAN 40 = 192.168.20.100/24

Below is the FW config

VLAN 10 and 30 using BVI 1 192.168.10.10/24

VLAN 20 and 40 using BVI 2 192.168.20.10/24

When I connect a host to Access_SW1 with access VLAN 10 and a host connect to Access_SW2 with access VLAN 30, I can ping each other without any issues. However, when I connect a host to Access_SW1 with access VLAN 20, this host cannot ping the host at Access_SW2 accessing VLAN 30. Both are different networks so I assume the CoreSW will do the inter-VLAN routing but it somehow doesn't.

Please help me as I am stuck in this configuration without progress. Thank you!

Jon Marshall · ‎10-29-2015

Sorry, I think it may just be a terminology thing that is leading to the misunderstanding.

An SVI ("int vlan <x>") is the L3 interface for a vlan and I was asking where they were configured.

I was assuming if you do a "sh ip int br | include Vlan" on your core switch you would only see SVIs for vlans 10 and 20.

Because I can't see anywhere else you could configure the SVIs for vlans 30 and 40.

So I think your schematic is just showing where the vlans are and not the SVIs.

If that's the case ignore my very first post because the second connection should work ie.

client (vlan 20) -> (SVI 20) core switch (SVI 10) -> firewall -> client (vlan 30)

which you seem to be saying it did once you changed the acl.

Is that the acl applied to the firewall ?

Does the above make sense or have it just confused the issue more ?

Jon

View solution in original post

Jon Marshall · ‎10-29-2015

Marcus

It won't work as you want because your firewall is in transparent mode.

So yout first ping looks like this -

client (vlan 10) -> firewall -> client (vlan 30)

which is why it works ie. there is no routiing involved.

Your second ping looks like this -

client (vlan 20) -> (SVI 20) core switch (SVI 30) -> firewall -> client (vlan 30)

you can see that vlan 30 is on both sides of the firewall and you can't have this with transparent because each side of the firewall should be in a different vlan.

A transparent firewall simply joins two vlans with the same IP subnet which is exactly what you did in your first example but not the second.

Jon

Marcus Peck · ‎10-29-2015

Hi Jon,

thanks for your reply. I have access-list below:

myethertype deny bpdu

myethertype permit 0x8100

myethertype permit 0x2003

And I applied this to all my subinterfaces (VLAN).

The above only allows ping within the same subnet. However when I applied the access list below:

101 extended permit ip any any

All my VLANs are able to ping each other and vice versa. Strange that I need to do this because I though the CoreSW is supposed to route the VLANs? Correct me if I'm wrong.

Jon Marshall · ‎10-29-2015

Marcus

Perhaps I have it wrong because I thought it was a topology issue not an acl issue.

What SVIs do you have configured on the core switch ie. you can't have an SVI for all vlans because the switch shouldn't let you configure multiple SVIs using the same IP subnet which is what you would have to do.

Jon

Marcus Peck · ‎10-29-2015

Hi Jon,

Access_SW1 (VLAN 10 & 20) --> CoreSW (VLAN 10, 20) --> (SVI 10 & 20) Transparent FW (SVI 30 & 40) --> Access_SW2 (VLAN 30 & 40)

Above is my VLAN config for the topology.

Jon Marshall · ‎10-29-2015

Marcus

Sorry it''s been a long day but I am not following your diagram.

Are you saying you have SVIs for vlans 10 and 20 on the core switch ?

If so where are the SVIs for vlan 30 and 40 that you show in your diagram.

I would expect there wouldn't be any SVIs for those vlans.

Jon

Marcus Peck · ‎10-29-2015

Hi Jon,

VLAN 30 & 40 are belonging to the same subnets as VLAN 10 & 20 respectively. Because transparent firewalls do not allow me to reuse VLAN IDs for more then 1 interfaces, I have to create new VLANs for the access_sw2 (VLAN 30 & 40). There is not VLAN 30 & 40 in coreSW.

Jon Marshall · ‎10-29-2015