10-11-2008 11:53 PM - edited 03-06-2019 01:53 AM
Hi All,
I am attaching a diagram of a network. As per the diagram do i need a L3 connection from my switch to the Firewall? using no switchport command OR the current configuration will work or not? Please check
regards
10-12-2008 07:44 AM
Jacob
It looks from your diagram as though vlan 1 is being routed on the 6500 but also the ASA firewall inside interface is on vlan 1 as well. What is the default-gateway on your vlan 1 clients ie. internet users - is it the vlan 1 interface on the 6500 or the inside interface of the ASA.
I would have a dedicated vlan for communication between the 6500 and the ASA device and definitely not use vlan 1. The default-gateway for clients in vlan 1 should be the 6500 vlan 1 interface. Then use a vlan that only the ASA inside interface and the 6500 L3 SVI are in.
The advantage of a vlan is if you then want another ASA for redundancy you can just add the standby ASA inside interface into the same vlan - so allocate a /29 for the IP subnet just for future use.
Ideally vlan 1 shouldn't be used at all for client data but that's another issue :)
Jon
10-12-2008 10:48 PM
Dear Jon,
Thanks for the input.
Gateway is the Vlan 1 Interface IP on 6500 and there is a default route to FW inside interface IP.
So i need an L3 SVI on the 6500 switch for the solution to work? in the current scenario it is not.
My main doubt is this .... the connection from the switch to the Firewall inside.
The interface configuration on 6500 is -
config-if#switchport mode access
config-if#switchport access vlan 1
How the port can be the memeber of a vlan that is connecting to the L3 physical interface (inside) of the firewall. As waht you have suggested It should be a L3 Interface right? I am confused about the L2 Vlan and the L3 physical Interface connection.
I need some clarity on this part please your kind update.
regards
10-13-2008 01:34 AM
Jacob
You need to use an unused vlan for the connectivity. So lets assume vlan 30 with an IP subnet of 192.168.5.0 255.255.255.248.
192.168.5.1 will be the 6500 end of the connection between the 6500 and ASA and 192.168.5.2 will be the inside interface of the ASA.
On the 6500 switch
Create L2 vlan
6500(config)# vlan 30
6500(config-vlan)# name 6500_to_FW
6500(config)# interface vlan 30
6500(config-if)# ip address 192.168.5.1 255.255.255.248
On the interface on the 6500 that the ASA is connected into
int gix/xx
switchport access vlan 30
Change the default route to
ip route 0.0.0.0 0.0.0.0 192.168.5.2
On the ASA change the inside address to 192.168.5.2
ip address inside 192.168.5.2 255.255.255.248
and then you need to add static routes for any vlans on the 6500 that the ASA needs to send packets to eg.
route (inside)
Note that we could use a dynamic routing between the 6500 and the ASA but we'll keep it simple with statics :)
Jon
10-14-2008 06:20 AM
Jon Thank you for the information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide