Hi Jon,

Thank you for replying.  

The port the switch is connected to is in vlan101 as an untagged port.  The switch is a Netgear switch that has a web UI where you pick ports for a vlan and say tagged or untagged.

I got a bit further with the experiment.  I configured a static route using the command line instead of ASDM and now the packet tracer shows that the router now knows that the 192.168.2.0 network is on interface 0/2.

However, I still can't ping from TestLaptop1 to TestLaptop3.  I think this may be because I need to do some kind of trunking on the port that the switch uses to connect to the ASA?  I'm about to start reading about trunking now.  No idea if I have to change the ports to tagged but suspect I need to do something like that.  

I really appreciate your reply.  I'm sure everyone on here is very busy and it's very hard to get a picture of a setup when it's being textually described.

Thanks again,

Jean

That makes sense.  I will mark your answer as correct and try it out in the morning.

Is vlan2 (created by the ASA when I configured interface 0/2) even required?  I can't figure out how to get rid of it in ASDM.  I'm comparing the setup to an existing setup on an ASA 5510 and the 5510 doesn't auto-create vlans.

One last question if you can tolerate it.  I kept the last four ports on the switch spare and left them in the default vlan (also called the management vlan in the GUI).  I am unsure if I should keep this vlan?  I assume I need something that allows a web connection for management purposes.  Currently the switch IP is in the vlan2 range but this means at the moment that only devices in vlan2 can manage the switch.  That has got to be wrong... Should I have ensured the ASA knows about the management vlan as well...?

Thanks again for your reply.  So very much appreciated.

As far as I can see you don't need vlan 2 but I can't help with ASDM as I never use it.

You could create a new vlan for management if you want and include that on the trunk link from the switch.

And you can ask as man questions as you like, that is what these forums are for :)

Jon

Does the forum prefer that questions are split out into new discussions?  I am drawing out my experiment designs and was wondering how a person goes about deciding which vlan to put ASA interfaces in.

In my experiment, the ASA interface is connected to a switch with 3 vlans where one of the vlans is default/management.

Is there best practice guidelines on how to decide which vlan the ASA interface goes in?  

In my mind it seems logical for the interface to be in the management vlan... Otherwise its just a coin toss.

But maybe actually the interface doesn't have to be in a vlan at all?  Maybe I'm just thinking it has to be because that's how the ASA 5505 comes out of the box...?

I can split this out into a new discussion if you prefer.

Thank you again for your replies.  It really, really helps to have real world experienced people who are willing to give up their time to participate in forums.  Invaluable.

Generally speaking if the original question has been answered people open up a new discussion but there are no hard and fast rules so adding to this is fine.

Not sure I understand what you mean here.

Each vlan has a different IP subnet (or should do) and you would therefore put the interfaces into the vlans for the subnets you wanted to firewall.

I think you may be asking a slightly different question so by all means come back and clarify.

Jon

In my experiment I have a switch with 3 vlans on it connected to the ASA (which created another vlan).

In my diagram I have assigned the subnets network addresses but the switch itself hasn't provided anywhere to set this.  I assume I will set this in the ASA itself when I get to that bit.

I need to give the ASA interface an address.  Currently it happens to be in the management vlan segment but that is pure chance.

My question was about how to choose that address and whether or not the vlans that are on the switch affect the decision.

I'm uploading a sketch of the experiment to hopefully explain better what I'm trying to figure out.

If you mean the interface the switch connects to you don't give it an IP address you make it a trunk so it can carry traffic for all vlans.

Then on the ASA you create L3 vlan interfaces for each vlan on the switch and it these L3 vlan interfaces you assign the IP addresses to.

That is how you are then able to route between all vlans although it does depend on the license you have on the ASA.

Does this make sense ?

Jon

Oh!  

That explains why I can't figure it out any why no-one knows what I'm talking about.

I read how to set up trunking but didn't realise that it means the interface itself should not have an IP address (although that makes total sense when I think about it).

OK, I've got more than enough now to carry on with the experiment.

I'm ditching ASDM except for visual representation as I'm not sure it's helping me (rather confusing me).

Thank you again.  The question of what address had been confounding me for days.

No problem, glad to help.

It's a good idea to use the CLI instead because I think it is more intuitive.

Jon

Hi Jon,

CLI is much nicer, I'm creating the 3 vlans now.

Not sure if you noticed my question about what the default gateways should be for the test laptops?  I'm sure this is another obvious thing that I'm not "getting"....

I must have replied wrong somehow because the post jumped ahead of my first reply...

Thanks again,

Jean

Jean

I did notice the question and have answered above  :)

Jon

Ooops! Sorry, didn't spot the reply.  Thanks :)