Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8885
Views
21
Helpful
9
Replies

Configuring Layer 3 switch behind cisco ASA 5505

edwardd0017
Level 1
Level 1

‎05-21-2015 10:07 PM - edited ‎03-08-2019 12:07 AM

I have an ASA 5505 connected to a Layer 3 (3750) switch (Inside) .I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.

Vlan Interfaces on the switch:

Vlan 10: 192.168.10.254

Vlan 20: 192.168.20.254

Vlan 30: 192.168.30.254

I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.

 

I have connected the ASA to the 3750 by routed interfaces (192.168.1.1) --------- (192.168.1.2) and they are able to ping each other.

I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (192.168.1.1)

 

1 person had this problem
Labels:
0 Helpful
9 Replies 9

vivek srivastava
Level 7
Level 7

‎05-21-2015 10:33 PM

Apply NAT on ASA and put route for all three Vlan subnets towards 3750's routed interface - 192.168.1.2.

 

edwardd0017
Level 1
Level 1
In response to vivek srivastava

‎05-21-2015 11:22 PM

Hi, Thank you for responding. Below is the config that I have, I still couldn't ping the 192.168.20.x or 192.168.30.x from the firewall inside interface.

 

L3 Switch

vlan 10

name Link to ASA

interface Vlan10

description Link to ASA

ip add 10.10.10.2 255.255.255.0

 

ip route 0.0.0.0 0.0.0.0 10.10.10.1

 

interface GigabitEthernetx/x

description Link to ASA

switchport mode access

switchport access vlan 10

switchport nonegotiate

spanning-tree portfast

no shutdown

 

 

 

 

ASA

interface vlan 1

description Link to Core

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

 

route inside 192.168.20.0 255.255.255.0 10.10.10.2

route inside 192.168.30.0 255.255.255.0 10.10.10.2

0 Helpful

john.laham
Level 1
Level 1
In response to edwardd0017

‎05-22-2015 05:36 AM

Hi edwardd0017,

Do all the devices in VLANs 20 and 30 have their default gateways set to 192.168.20.254 and 192.168.30.254, respectively? Can the devices in VLANs 20 and 30 ping each other; i.e. is inter-VLAN routing working?

Also, and as Vivek highlighted, in the original post you say that VLAN10's SVI IP address is 192.168.10.254, then you say in the next paragraph:

"I have connected the ASA to the 3750 by routed interfaces (192.168.1.1) --------- (192.168.1.2) and they are able to ping each other."

And after that in your conflagration, you're configuring the interfaces of the 3750 and the ASA in the 10.10.10.0/24 subnet. So we're not sure which one is the correct one.

Also, (and this is just a technicality) for the connection to be a "routed" interface between the 3750 and the ASA, you need to configure it on the 3750 with the command "no switchport", and then add the IP address directly on the physical port, and not on the SVI. As I mentioned, this is just a technicality in terms of calling the port a "routed" port, however this shouldn't stop your configuration from working, because an SVI should work just as well (theoretically at least).

Furthermore, if you do want the link between the ASA and the 3750 to be a routed interface, then you're better off just applying /30 subnet to the link, and making it a point-to-point link.

Example:

!On the 3750
!
configure terminal
!
interface GigabitEthernetx/x
description Link to ASA
no switchport
ip address 10.10.10.2 255.255.255.252
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
end

 

Other than that, I'm not familiar with the ASA CLI, but is there a reason why you're specifically assigning the IP address 10.10.10.1 on the VLAN 1 interface of the ASA???

0 Helpful

edwardd0017
Level 1
Level 1
In response to john.laham

‎05-22-2015 08:30 AM

Hi john.laham,

To answer your questions, I'm able to ping between Vlan 20 and 30, therefore the inter-VLAN routing is working. The reason why I'm assigning the ip address on the vlan 1 of the ASA because the ASA model that I have does not allow you to set ip to it's physical interface. I have an ASA 5505 with base license, I think I can only have 3 vlans in it and trunking is not available for the base license. My main objective here really is to have my 3750 handle all the routing.

I apologize for the confusion below is the actual config:

 

L3 Switch

vlan 10

name Link to ASA

!

interface Vlan10

description Link to ASA

ip add 192.168.1.2 255.255.255.0

!
vlan 20
name Servers
!
interface vlan 20
description Server Vlan
ip add 192.168.20.254 255.255.255.0
!
vlan 30
name Workstation
!
interface Vlan 30
ip add 192.168.30.254 255.255.255.0

interface GigabitEthernet1/0/48

description Link to ASA

switchport mode access

switchport access vlan 10

switchport nonegotiate

spanning-tree portfast

no shutdown

!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!

 

  

 

ASA

interface vlan 1

description Link to Core

nameif inside

security-level 100

ip add 192.168.1.1 255.255.255.0

route inside 192.168.20.0 255.255.255.0 192.168.1.2

route inside 192.168.30.0 255.255.255.0 192.168.1.1

 

0 Helpful

john.laham
Level 1
Level 1
In response to edwardd0017

‎05-22-2015 08:39 AM

Dunno if this was a typo, but your route statement for VLAN 30 (subnet 192.168.30.0) on the ASA is pointing to the wrong IP address.

route inside 192.168.30.0 255.255.255.0 192.168.1.1

Should be:

route inside 192.168.30.0 255.255.255.0 192.168.1.2

If that doesn't solve the issue, then please provide us with your "show ip route" outputs. Also a traceroute from the ASA to a device on either of the VLANs.

 

amchang
Cisco Employee
Cisco Employee
In response to john.laham

‎05-29-2015 04:31 PM

A post in this discussion has been removed due to possible misconduct. Please refer to the CSC terms of use for more details.

0 Helpful

bangalore.samanta08
Level 1
Level 1
In response to john.laham

‎11-23-2019 09:10 AM

on Asa 5505 cli

 

you need to 

go to global config mode

conf t

 

then 

route outside 0.0.0.0 0.0.0.0 ip address of outside interface.

route inside 192.168.10.0 255.255.255.0 10.10.1.1

route inside 192.168.20.0 255.255.255.0  10.10.1.1

 

you need make some nat rule implementation like

 

 

object network NAT
 subnet 192.168.1.0 255.255.255.0
object network NATV-LAN10
 subnet 192.168.10.0 255.255.255.0
object network NATV-LAN20
 subnet 192.168.20.0 255.255.255.0
object network NATV-LAN30
 subnet 192.168.30.0 255.255.255.0

 

 

0 Helpful

bangalore.samanta08
Level 1
Level 1
In response to john.laham

‎11-23-2019 09:14 AM

Tell me please. How to give no switchport command on cisco sf-300 switch?
0 Helpful

bangalore.samanta08
Level 1
Level 1
In response to vivek srivastava

‎11-23-2019 09:12 AM

Is that like this?

object network NAT
 subnet 192.168.1.0 255.255.255.0
object network NATV-LAN10
 subnet 192.168.10.0 255.255.255.0
object network NATV-LAN20
 subnet 192.168.20.0 255.255.255.0
object network NATV-LAN30
 subnet 192.168.30.0 255.255.255.0
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card