11-26-2018 10:38 PM - edited 03-08-2019 04:40 PM
Hi All,
I have multiple vlans for inside network & i need to enable inter vlan routing in between so please let me know how can we enable this on ASA 5525 so we can establish full communication b/w d/f vlan users.
Also please let me know is it possible to configure SVI at 5525.?
Also is it possible to configure multiple dhcp for inside user as we have already running one dhcp at asa for LAN user & for same kind we required this for other two vlans. How we can identify gateway for that dhcp so specific vlan user get the ip address dynamically.
Please let me know the commands for all the above query.
dhcpd address 10.85.xx.xx-10.85.xx.xx inside
dhcpd dns 10.85.xx.xx 10.85.xx.xx interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
GigabitEthernet0/1.70 VOIP 172.16..xx.xx 255.255.255.0 CONFIG
GigabitEthernet0/1.100 inside 10.85.xx.xx 255.255.255.0 CONFIG
GigabitEthernet0/1.110 camera 10.85.xx.xx 255.255.255.0 CONFIG
11-27-2018 12:30 AM - edited 11-27-2018 12:31 AM
Configure interface ACLs to allow and/or block the required traffic.
You can create a sub-interface with security levels.
You need to configured switch side as trunk to allow those VLAN for the user devices.
11-27-2018 01:38 AM
Dear Balaji,
Can you please help me with below two points as how can we create acl to allow full communication b/w vlans.
Also in L3 switch we have command of enable ip route to allow inter vlan communication is it possible to do the same on ASA 5525
1>Configure interface ACLs to allow and/or block the required traffic.
2>You can create a sub-interface with security levels.
11-27-2018 03:55 AM
If all the sub-interfaces on the ASA are the same security level then you can apply the global command 'same-security-traffic permit inter-interface'. This will allow the ASA to simply route between the networks of the same security level. If you apply different security levels you will need to write ACLs permitting your traffic. These could be as simple as 'permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0'.
However if that is your requirement and you already have a L3 switch I would leave the routing there and only route traffic to the firewall that is going outside of your 'domain'. The firewall won't have the same forwarding performance as the L3 switch.
Andy
11-27-2018 08:11 PM
Hi Andrew,
As we have already multiple sub interfaces on firewall can you please let me know how can i enable allowed vlan all in between ASA & switch .
In cisco switches we have feature switch port mode trunk allowed vlan all please let me know how we can enable this feature on firewall also.??
So all the vlan can transfer in b/w ASA & switch.
Also please let me know the command to create new vlan in ASA 5525
ASA1#
ASA1# sh run int
ASA1# sh run int GigabitEthernet0/1.70
!
interface GigabitEthernet0/1.70
vlan 70
nameif VOIP
security-level 100
ip address 172.16.xx.xx 255.255.xx.xx
ASA1# sh run int GigabitEthernet0/1.100
!
interface GigabitEthernet0/1.100
vlan 100
nameif inside
security-level 100
ip address 10.85.xx.xx 255.255.xx.xx
ASA1#
11-28-2018 01:15 PM
here is example config.
Switch side
============
BB(config)#int fa0/0 - change the interface where your ASA connected.
BB(config-if)#switchport
BB(config-if)#switchport trunk encapsulation dot1q
BB(config-if)#switch trunk allowed vlan 70,100 - as per your example it will allow 70 and 100 VLAN here
BB(config-if)#swtichport mode trunk
BB(config-if)#no shut
ASA Side:
=========
config t
!
int e0/1
no ip address
no security-level
no nameif inside
!
interface GigabitEthernet0/1.70
vlan 70
nameif VOIP
security-level 100
ip address 172.16.xx.xx 255.255.xx.xx
!
interface GigabitEthernet0/1.100
vlan 100
nameif inside
security-level 100
ip address 10.85.xx.xx 255.255.xx.xx
11-28-2018 07:59 PM
Dear Bala JI,
Please let me know is there any command on asa 5525 to enable trunk to allow all vlans.??
11-29-2018 12:54 AM
what is the Code you running in ASA ? most of the code below config should work, if not what is the error you getting and post the configuration.
This config allow all the VLAN.
Int gi 0/1
no ip address
no security-level
no nameif inside
and map sub-interface for vlan mapping as per last config.
11-29-2018 08:46 AM
Dear Bala ji,
I am going to run below code is this work to pass all the three vlan by sub interfaces & allow the inter vlan communication.
nterface GigabitEthernet0/1.70
vlan 70
nameif VOIP
security-level 100
ip address 172.16.xx.xx 255.255.xx.xx
!
interface GigabitEthernet0/1.100
vlan 100
nameif inside
security-level 100
ip address 10.85.xx.xx 255.255.xx.xx
interface GigabitEthernet0/1.110
vlan 110
nameif inside
security-level 100
ip address 192.60.xx.xx 255.255.xx.xx
!
same-security-traffic permit inter-interface
11-29-2018 09:28 AM
test and let me know, bare in mind you need to add additional vlan trunk allowed list
switch trunk allowed vlan 70,100, 110 switch side
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide