05-21-2015 10:07 PM - edited 03-08-2019 12:07 AM
I have an ASA 5505 connected to a Layer 3 (3750) switch (Inside) .I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
Vlan Interfaces on the switch:
Vlan 10: 192.168.10.254
Vlan 20: 192.168.20.254
Vlan 30: 192.168.30.254
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.
I have connected the ASA to the 3750 by routed interfaces (192.168.1.1) --------- (192.168.1.2) and they are able to ping each other.
I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (192.168.1.1)
05-21-2015 10:33 PM
Apply NAT on ASA and put route for all three Vlan subnets towards 3750's routed interface - 192.168.1.2.
05-21-2015 11:22 PM
Hi, Thank you for responding. Below is the config that I have, I still couldn't ping the 192.168.20.x or 192.168.30.x from the firewall inside interface.
L3 Switch
vlan 10
name Link to ASA
interface Vlan10
description Link to ASA
ip add 10.10.10.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.10.1
interface GigabitEthernetx/x
description Link to ASA
switchport mode access
switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
no shutdown
ASA
interface vlan 1
description Link to Core
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0
route inside 192.168.20.0 255.255.255.0 10.10.10.2
route inside 192.168.30.0 255.255.255.0 10.10.10.2
05-22-2015 05:36 AM
Hi edwardd0017,
Do all the devices in VLANs 20 and 30 have their default gateways set to 192.168.20.254 and 192.168.30.254, respectively? Can the devices in VLANs 20 and 30 ping each other; i.e. is inter-VLAN routing working?
Also, and as Vivek highlighted, in the original post you say that VLAN10's SVI IP address is 192.168.10.254, then you say in the next paragraph:
"I have connected the ASA to the 3750 by routed interfaces (192.168.1.1) --------- (192.168.1.2) and they are able to ping each other."
And after that in your conflagration, you're configuring the interfaces of the 3750 and the ASA in the 10.10.10.0/24 subnet. So we're not sure which one is the correct one.
Also, (and this is just a technicality) for the connection to be a "routed" interface between the 3750 and the ASA, you need to configure it on the 3750 with the command "no switchport", and then add the IP address directly on the physical port, and not on the SVI. As I mentioned, this is just a technicality in terms of calling the port a "routed" port, however this shouldn't stop your configuration from working, because an SVI should work just as well (theoretically at least).
Furthermore, if you do want the link between the ASA and the 3750 to be a routed interface, then you're better off just applying /30 subnet to the link, and making it a point-to-point link.
Example:
!On the 3750
!
configure terminal
!
interface GigabitEthernetx/x
description Link to ASA
no switchport
ip address 10.10.10.2 255.255.255.252
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
end
Other than that, I'm not familiar with the ASA CLI, but is there a reason why you're specifically assigning the IP address 10.10.10.1 on the VLAN 1 interface of the ASA???
05-22-2015 08:30 AM
Hi john.laham,
To answer your questions, I'm able to ping between Vlan 20 and 30, therefore the inter-VLAN routing is working. The reason why I'm assigning the ip address on the vlan 1 of the ASA because the ASA model that I have does not allow you to set ip to it's physical interface. I have an ASA 5505 with base license, I think I can only have 3 vlans in it and trunking is not available for the base license. My main objective here really is to have my 3750 handle all the routing.
I apologize for the confusion below is the actual config:
L3 Switch
vlan 10
name Link to ASA
!
interface Vlan10
description Link to ASA
ip add 192.168.1.2 255.255.255.0
!
vlan 20
name Servers
!
interface vlan 20
description Server Vlan
ip add 192.168.20.254 255.255.255.0
!
vlan 30
name Workstation
!
interface Vlan 30
ip add 192.168.30.254 255.255.255.0
!
interface GigabitEthernet1/0/48
description Link to ASA
switchport mode access
switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ASA
interface vlan 1
description Link to Core
nameif inside
security-level 100
ip add 192.168.1.1 255.255.255.0
!
route inside 192.168.20.0 255.255.255.0 192.168.1.2
route inside 192.168.30.0 255.255.255.0 192.168.1.1
05-22-2015 08:39 AM
Dunno if this was a typo, but your route statement for VLAN 30 (subnet 192.168.30.0) on the ASA is pointing to the wrong IP address.
route inside 192.168.30.0 255.255.255.0 192.168.1.1
Should be:
route inside 192.168.30.0 255.255.255.0 192.168.1.2
If that doesn't solve the issue, then please provide us with your "show ip route" outputs. Also a traceroute from the ASA to a device on either of the VLANs.
05-29-2015 04:31 PM
A post in this discussion has been removed due to possible misconduct. Please refer to the CSC terms of use for more details.
11-23-2019 09:10 AM
on Asa 5505 cli
you need to
go to global config mode
conf t
then
route outside 0.0.0.0 0.0.0.0 ip address of outside interface.
route inside 192.168.10.0 255.255.255.0 10.10.1.1
route inside 192.168.20.0 255.255.255.0 10.10.1.1
you need make some nat rule implementation like
object network NAT subnet 192.168.1.0 255.255.255.0 object network NATV-LAN10 subnet 192.168.10.0 255.255.255.0 object network NATV-LAN20 subnet 192.168.20.0 255.255.255.0 object network NATV-LAN30 subnet 192.168.30.0 255.255.255.0
11-23-2019 09:14 AM
11-23-2019 09:12 AM
Is that like this?
object network NAT subnet 192.168.1.0 255.255.255.0 object network NATV-LAN10 subnet 192.168.10.0 255.255.255.0 object network NATV-LAN20 subnet 192.168.20.0 255.255.255.0 object network NATV-LAN30 subnet 192.168.30.0 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide