11-11-2017 10:31 AM - edited 03-08-2019 12:42 PM
Hi All,
Hope you all are doing well. We are running the network in the below structure.
Internet>>Cisco ASA-5505 (Routed)>>Cisco Catalyst (Wireless Mobility)>>AP(LWAPP)>>Users.
We are currently running on one VLAN and having DHCP that is now 80% utilized.
HELP Needed for Below Query:
I need to make a intervlan routing by using ASA-5505 so i can have new DHCP so users can connect to that one also. I am unable to do so. I have create a new VLAN100 in L3 Switch and run ip-routing command. When i goto ASA i am unable to make sub-interface. Can you please guide me how can i do it possible. As it is so much urgent requirement. Please guys help me!!!!!
11-11-2017 12:45 PM
Hi,
Use the switch as layer-2 only and have trunk connection from the switch to the firewall. Do all the routing for both vlans on the firewall with IP and DHCP. Here is an example of using sub-interfaces on the firewall with vlan 100 and vlan 10. Use your own IP segment as this is just for example:
HTH
interface Ethernet0/1.100 description Inside LAN interface nameif inside security-level 100 ip address 10.10.100.1 255.255.255.0 ! interface Ethernet0/1.10 vlan 10 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0
11-11-2017 01:05 PM
Hi,
Thank you for the response. Actually ASA-5505 doesnot support router on stick configurations. Whenever, i write ethernet0/1.19 it give an error unrecognized command. As ASA-5505 has all switch ports.
11-11-2017 04:46 PM
Hi,
Ok, thank you for that information. In that case you can create 2 SVIs on your switch for vlan 10 and 100 and also use a 3rd layer-3 access vlan for connectivity between the switch and the firewall. Then on the switch all you need is a default route pointing to the ip address on the firewall.
HTH
11-11-2017 07:23 PM
Hi Reza,
Noted!!! Can you please share me the config example so i can do it. As i am unable to do so .
11-11-2017 07:28 PM
Have a look at this post for an example:
HTH
11-12-2017 07:46 AM
One more addition:
If you want to use the ASA "on a stick", you have to configure additional VLANs and use a switch port in trunk-mode. You could also assign a VLAN to a spare switchport and connect the ASA with multiple links to your switch.
But keep in mind that the ASA only has FastEthernet interfaces and is quite limited in throughput.
I would only configure the VLANs on the ASA that need to be restricted like guest-VLANs and configure all other VLANs on the switch.
11-12-2017 08:50 AM
Hi,
I have done it another way. I have created an another VLAN and connect one switchport with Firewall Switchport and assgin same VLAN that need to be run on SSID. And it is working. I will test it and will let you know. Thanks you Guys!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide