Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1678
Views
0
Helpful
2
Replies

Cisco SG300 / ASA 5505 intervlan routing issue

Go to solution
ciscoitzupport
Level 1
Level 1

‎10-18-2012 09:28 AM

Dear All

I have an issue with correctly configuring sg300 layer 3 switch behind ASA 5505 (incl Security Plus License)

The setup is as follows:

CISCO SG300 is configured as a Layer 3 Switch

Native VLAN 1: ip address 192.168.1.254, default route (inside interface ASA 192.168.1.1)

Extra VLANs on Switch defined

VLAN 100 with 192.168.100.0/24, default gateway 192.168.100.254

VLAN 110 with 192.168.110.0/24, default gateway 192.168.110.254

VLAN 120 with 172.16.0.0/16, default gateway 172.16.10.254

From the different VLANS(100,110,120)  I am able to connect to all devices in the other VLANS (except for Native VLAN 1; it's not pingable)

From switch cli I can ping my firewall (192.168.1.1) and all other vlan gateways and vlan devices (VLAN1,100,110,120)

From asa cli I can only ping my switch port (192.168.1.254), but no other devices in the other VLANs

My question is this. What do I need to change or setup in the switch or asa configuration in order for the other vlans to access the Internet through the ASA. I will not use the ASA as intervlan routing device, because the switch is doing htis for me

I tried changing the asa int e0/1 into trunkport (uplink port on switch also), to allow all vlans, but as soon as I do that I cannot ping to 192.168.1.254 from ASA cli anymore.

Any help is greatly appreciated

Regards

Edwin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎10-18-2012 12:16 PM

Hi Edwin, since the switch is in layer 3, the only needed behavior is to ensure the computer's default gateways are set to the SVI of the interface connecting to the switch to ensure the switch is forwaring the desired traffic to the ASA.

The configuration between the ASA and the switch should remain true per dot1q, such as native vlan untagged, all additional vlans tagged.

Also, if I'm not mistaken, on the ASA you need to set the port security level to 100.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎10-18-2012 12:16 PM

Hi Edwin, since the switch is in layer 3, the only needed behavior is to ensure the computer's default gateways are set to the SVI of the interface connecting to the switch to ensure the switch is forwaring the desired traffic to the ASA.

The configuration between the ASA and the switch should remain true per dot1q, such as native vlan untagged, all additional vlans tagged.

Also, if I'm not mistaken, on the ASA you need to set the port security level to 100.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Go to solution
ciscoitzupport
Level 1
Level 1
In response to Tom Watts

‎10-18-2012 12:47 PM

Thomas

You were right I figured it out already

. I used the wrong ip address for gateway to the different subnets. It should have been the ip address 192.168.1.254 as I used 192.168.1.1 which is the ip address of the ASA itself.

I also made sure the uplink to ASA was configured as a trunk port and allowed 100,110,120

Thanks so much

0 Helpful
Customers Also Viewed These Support Documents
Top