10-28-2015 07:57 PM - edited 03-05-2019 02:37 AM
Hi,
I have an issue getting a different VLAN to communicate to another VLAN via a transparent firewall. Below is my scenario:
Access_SW1 --> Core_SW --> Transparent_ASA --> Access_SW2
The Access_SW1 is configured with VLAN 10 & 20 and the Access_SW2 is configured with VLAN 30 & 40. The Core_SW is configured with OSPF with VLAN 10, 20, 30 & 40 in the same area with VLAN 10, 20, 30 & 40 as gateways for each respective VLAN. The transparent_FW is configured with subinterfaces with only 1 physical link to the Core_SW and 1 physical link to the Access_SW2.
Below is the VLAN network config:
VLAN 10 = 192.168.10.1/24
VLAN 20 = 192.168.20.1/24
VLAN 30 = 192.168.10.100/24
VLAN 40 = 192.168.20.100/24
Below is the FW config
VLAN 10 and 30 using BVI 1 192.168.10.10/24
VLAN 20 and 40 using BVI 2 192.168.20.10/24
When I connect a host to Access_SW1 with access VLAN 10 and a host connect to Access_SW2 with access VLAN 30, I can ping each other without any issues. However, when I connect a host to Access_SW1 with access VLAN 20, this host cannot ping the host at Access_SW2 accessing VLAN 30. Both are different networks so I assume the CoreSW will do the inter-VLAN routing but it somehow doesn't.
Please help me as I am stuck in this configuration without progress. Thank you!
Solved! Go to Solution.
10-29-2015 08:50 PM
Sorry, I think it may just be a terminology thing that is leading to the misunderstanding.
An SVI ("int vlan <x>") is the L3 interface for a vlan and I was asking where they were configured.
I was assuming if you do a "sh ip int br | include Vlan" on your core switch you would only see SVIs for vlans 10 and 20.
Because I can't see anywhere else you could configure the SVIs for vlans 30 and 40.
So I think your schematic is just showing where the vlans are and not the SVIs.
If that's the case ignore my very first post because the second connection should work ie.
client (vlan 20) -> (SVI 20) core switch (SVI 10) -> firewall -> client (vlan 30)
which you seem to be saying it did once you changed the acl.
Is that the acl applied to the firewall ?
Does the above make sense or have it just confused the issue more ?
Jon
10-29-2015 05:03 AM
Marcus
It won't work as you want because your firewall is in transparent mode.
So yout first ping looks like this -
client (vlan 10) -> firewall -> client (vlan 30)
which is why it works ie. there is no routiing involved.
Your second ping looks like this -
client (vlan 20) -> (SVI 20) core switch (SVI 30) -> firewall -> client (vlan 30)
you can see that vlan 30 is on both sides of the firewall and you can't have this with transparent because each side of the firewall should be in a different vlan.
A transparent firewall simply joins two vlans with the same IP subnet which is exactly what you did in your first example but not the second.
Jon
10-29-2015 08:01 PM
Hi Jon,
thanks for your reply. I have access-list below:
myethertype deny bpdu
myethertype permit 0x8100
myethertype permit 0x2003
And I applied this to all my subinterfaces (VLAN).
The above only allows ping within the same subnet. However when I applied the access list below:
101 extended permit ip any any
All my VLANs are able to ping each other and vice versa. Strange that I need to do this because I though the CoreSW is supposed to route the VLANs? Correct me if I'm wrong.
10-29-2015 08:08 PM
Marcus
Perhaps I have it wrong because I thought it was a topology issue not an acl issue.
What SVIs do you have configured on the core switch ie. you can't have an SVI for all vlans because the switch shouldn't let you configure multiple SVIs using the same IP subnet which is what you would have to do.
Jon
10-29-2015 08:13 PM
Hi Jon,
Access_SW1 (VLAN 10 & 20) --> CoreSW (VLAN 10, 20) --> (SVI 10 & 20) Transparent FW (SVI 30 & 40) --> Access_SW2 (VLAN 30 & 40)
Above is my VLAN config for the topology.
10-29-2015 08:32 PM
Marcus
Sorry it''s been a long day but I am not following your diagram.
Are you saying you have SVIs for vlans 10 and 20 on the core switch ?
If so where are the SVIs for vlan 30 and 40 that you show in your diagram.
I would expect there wouldn't be any SVIs for those vlans.
Jon
10-29-2015 08:39 PM
Hi Jon,
VLAN 30 & 40 are belonging to the same subnets as VLAN 10 & 20 respectively. Because transparent firewalls do not allow me to reuse VLAN IDs for more then 1 interfaces, I have to create new VLANs for the access_sw2 (VLAN 30 & 40). There is not VLAN 30 & 40 in coreSW.
10-29-2015 08:50 PM
Sorry, I think it may just be a terminology thing that is leading to the misunderstanding.
An SVI ("int vlan <x>") is the L3 interface for a vlan and I was asking where they were configured.
I was assuming if you do a "sh ip int br | include Vlan" on your core switch you would only see SVIs for vlans 10 and 20.
Because I can't see anywhere else you could configure the SVIs for vlans 30 and 40.
So I think your schematic is just showing where the vlans are and not the SVIs.
If that's the case ignore my very first post because the second connection should work ie.
client (vlan 20) -> (SVI 20) core switch (SVI 10) -> firewall -> client (vlan 30)
which you seem to be saying it did once you changed the acl.
Is that the acl applied to the firewall ?
Does the above make sense or have it just confused the issue more ?
Jon
11-03-2015 05:50 PM
Hi Jon,
sorry for the late reply. Yup, the ACL is applied to the firewall and not the core switch. Anyways it is working as it should now after the ACL on the firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide