02-08-2008 12:32 PM - edited 03-05-2019 09:02 PM
Hi,
I am very new to Cisco hardware and VLANs in general. We have a very simple network setup (ASA5510 set up as a router/firewall and many switched of which I am only trying to deal with a Cisco Catalyst 2960).
WHat I was hoping to do without any additional wiring is to add a VLAN for an AP that would be used for guest access to the internet, but not the internal network.
So on the ASA i created a subinterface off of the main inside interface and on the 2960 I created a new VLAN. Then i tried to configure the port on the 2960 to which the ASA is connected as a trunk port, but at that moment everybody loses the connection to the outside.
Basically, where can i find any documentation on how to properly set this up with the hardware I have.
I am sure i am missing many things, but I do need some guidance.
Thank you
02-08-2008 01:50 PM
Here is a working example.
=======================================
ASA Config
=======================================
interface Ethernet4
description Trunk Only! DO NOT CONFIGURE!!
speed 100
duplex full
no nameif
security-level 10
no ip address
!
interface Ethernet4.100
description WWW DMZ
vlan 100
nameif http
security-level 10
ip address 192.168.200.254 255.255.255.0 standby 192.168.200.253
!
interface Ethernet4.101
description WiFi DMZ
vlan 101
nameif wifi
security-level 10
ip address 172.16.100.254 255.255.255.0 standby 172.16.100.253
!
=====================================
Switch Config
=====================================
DMZSW45#sh run int fa0/47
interface FastEthernet0/47
description Connection to PIX-FW
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100-101
switchport mode trunk
duplex full
speed 100
end
DMZSW45#
HTH
02-11-2008 08:01 AM
please hang in there with me as I am still getting used to the cmd line. I have tried to do this using the ASDM for the ASA and the Cisco Network Assistant.
The 47 interface, is that the one that is connected to the ASA on port 4?
If so, I believe I have done the same thing using the GUI, but the following happens:
on the port connected to the ASA (Gi0/11) I change the administrative mode from Dynamic Auto to 802.1Q Trunk and set Trunk allowed VLANs to "all". At that point everybody on the network loses internet connectivity, but after a few minutes the settings I changed go back to Dynamic Auto and Static Access for the operational mode.
any ideas?
02-11-2008 08:25 AM
Correct, fa0/47 is the connection between the switch and the firewall (port 4). It must be a trunk port or it will fail. The only vlans on the trunk should be DMZ's vlans or your inside users will lose connectivity.
02-11-2008 08:36 AM
so if I understand this right, i need to have two cables going from the witch to the ASA, one for the inside network and one for the ... well the "other" inside network. I am purposely not calling it a DMZ, because I want to explain what was my conceptual mistake, i believe.
i was under the impression that if i create a subinterface on the one that i call my INSIDE interface, give it a different ip network like 192.168.2.1 and configure the port on the witch that connects it to the ASA as a trunk and allow all vlans that it would work that way.
obviously I was wrong
so as said before I will have my port 0/11 on the switch connect to the ASA 0/1 (inside). then I will have port 0/12 on the switch connect to the ASA 0/2 (dmz), configure the 0/12 as a trunk and only allow the VLAN 200 (my dmz vlan) and not the default vlan1. That way I will not have the inside traffic flow through the dmz.
Is that correct? Again many thanks for walking me thru this
02-11-2008 08:40 AM
You got it.
02-11-2008 10:42 AM
First of all thank you for babysitting me on this one.
Second, another stupid question: If I configure the asa and the switch as described before, can i then add another subinterface on the DMZ trunk and make it another VLAN on which i would keep the front end stuff like internet webserver etc, without the WIFI Vlan being able to interact with the new Vlan?
02-11-2008 11:53 AM
I'm not sure I understand 100%. You can create another VLAN on the switch and another sub-interface on the firewall to create a new DMZ. Restricting/Allowing communications between the DMZ's is handled by the security level and/or ACL's. Does that answer your question?
02-11-2008 12:01 PM
yes it does.
Thank you. Now i just have to figure out what I am doing wrong as I cant access anything through my new vlan :-)
i configured the trunk as you said and I configured another port on the switch to belong to the new vlan. but when i try to ping the subinterface on the asa i get nothing. times out
02-11-2008 12:11 PM
Make sure you have ICMP enabled.
icmp permit any your_dmz_name
Check your ARP cache on the firewall (show arp), you should see the switches' MAC address (from the connected port). If not, something is configured/cabled wrong.
02-11-2008 12:18 PM
right now there are only two implicit rules on the DMZ interface and the WIFI subinterface:
any to any less secure network
02-11-2008 12:22 PM
what about the ARP tables?
02-11-2008 12:23 PM
couldn't see anything with the 172 ip. i made some changes to the asa and will test it again now and see what happens. brb
02-11-2008 12:39 PM
yeah i have obviously something screwed up as i can't see anything in the ARP table
02-11-2008 12:41 PM
is it trunking? In the switch show interface trunk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide