cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8754
Views
64
Helpful
31
Replies

Routing between Vlans

WezMorris40
Level 1
Level 1

We run a small company network where everything runs on the native VLan but recently a second internet line and server was installed on a second VLan.

Attached is a pic of the network setup and our current config.

Currently the orange Vlan (VLan 30) has zero communication with the rest of the network. What steps would I need to take so that we could remote desktop to that server?

I can't see a way of getting the Inside and BT_DMZ interfaces to talk to each other.

Our end game is to eventually get the DMZ using the BT managed router and ditch the PIX entirely.

I'm fairly rookie when it comes to networking, most of what I've done is through the ASDM gui and even then most was guesswork.

Any help you could provide is much appreciated

2 Accepted Solutions

Accepted Solutions

martin_knorre
Level 1
Level 1

defenitly you need the .1q trunking, you want to allow the configured vlan tagging over this link, so you go to the configuration interface and configure the vlans.

In your case exactly server vlan, native vlan (1), dmz etc.

I would suggest you to configure the switch via the cli, its a bit harder but you have better control of the configuration.

And on the Firewall you create vor every vlan an interface which has the dot1q trust for the vlan.

And regarding to your question a bridging between VLAN must be done over a Layer 3 instance like a router or firewall.

Regards Martin    

View solution in original post

Yes, when you configure subinterfaces on an ASA physical interface, it will automatically change it to a trunk port. So there is nothing you need to

modify/add on the ASA physical interface.

Next would be to check where it's failing. As per your ASA packet tracer, it passes through all stages, that means, nothing is incorrect from the ASA point of view.

A few things to check:

1) The hosts that you are trying to reach, can you please check if personal firewall, etc is enabled as it can block inbound connection from different subnet if it's enabled. Try to disable and see if it works.

2) I assume that the hosts default gateway is configured to be the corresponding ASA interfaces ip address? If not, do they have the correct route?

3) Lastly, are you able to ping from the same subnet and/or RDP from within the same subnet?

Also please add inspect for icmp as follows:

policy-map global_policy
class inspection_default

     inspect icmp

View solution in original post

31 Replies 31

Jennifer Halim
Cisco Employee
Cisco Employee

I am assuming that you would like to RDP from the inside network (10.20.1.0/24) towards BT DMZ network (10.20.3.0/24), Is this a correct assumption?

If it is, it looks like the subinterface is something that you have just recently added as you already have ip address configured on that interface (0/3) for dmz subnet (10.20.2.0).

So again, if the above is correct, you will need to perform a couple of changes:

1) ASA interface 0/3 needs to be connected to the switch as a trunk (802.1q trunk) and allowing both the dmz and bt-dmz VLANs.

2) Then you will need to configure the following static NAT statement:

static (inside,bt-dmz) 10.20.1.0 10.20.1.0 netmask 255.255.255.0


3) "clear xlate" after the changes, and it should communicate now.

Thanks for the fast reply

Thats correct. We'd need to rdp at the very least, untill the lines get swapped.

Not sure I understand what you mean by connectiong as a trunk. There's a physical cable running between the switch and ASA5510, do I need to change the type of connection it is? If so, how?

I've set up the nat rule and run clear xlate but still not getting anything back from ping or rdp

Yes, on the switch port which is connected to the ASA port 0/3, you will need to change it from "access" port to "trunk" port, and the trunk type needs to be dot1q. This is the configuration change that you will need to make on the switch (in particular the switch port interface that connects to the ASA).

I've looked at the switch and it appears to already be set at trunk on port 24 (where the ASA 0/3 connects). However, I can't see anything about changing the type of trunk to 802.1Q.

Several of the ports on the switch are set to VLan30, but port 24 isn't one of them. Is there some kind of bridging between the vlans that needs to be done on the switch first?

Did some looking around and found this page http://www.cisco.com/en/US/products/ps9967/products_qanda_item09186a0080a36802.shtml
which explains a bit about the configuration.

One of the options for Interface settings is :

  • Interface VLAN Mode - Indicates the port mode. Possible values are:

- General - The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode).
- Access - The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types which are accepted on the port (packet type) cannot be designated. It is also not possible to enable/disable ingress filtering on an access port.
- Trunk - The port belongs to VLANs in which all ports are tagged (except for an optional single native VLAN).

Does that mean I need to use "General" instead of trunk? Or would Trunk automatically assume that it's dot1q?

martin_knorre
Level 1
Level 1

Hi,

regarding to your visio file, you can dump your PIX ;-)

If you do so, you have to configure one int of the ASA for the BT Link, 1 should be free, or?

For more scalability you should create a subinterface on the ASA tag it with the VLAN 300, one Subint.  for the server VLAN.

And for security reasons you should dump the native vlan 1 and set up another one for clients etc.

I hope that this is not too much for you ;-)

But contact me if you have some questions about my ideas...

cheers

Martin          

Ditch the PIX and run both lines through the ASA? That'd be a very welcome end solution, but I think I might have to take baby steps at the moment.

The ASA has 4 ports, all are currently used, though if we could isolate the 192.168.2.16 server on the SGE2000 switch that'd solve a few problems and free up a port for the BT link. The BT line could then use the internal3 interface (which would connect with vlan30, giving it a route to serve out)?

Unfortunately this is the first time I've worked with interfaces and vlans so it's a pretty steep learning curve. Is there any good reading material for getting started on this?

Yes I know the whole VLAN / Trunking thematics are very confusing at the beginning and sometimes

its still to me ;-) I started 3 years ago with networking cisco and so on, and at the beginning, I read a lot of the cisco sample configuration guides and technical references.

http://www.ciscopress.com/articles/article.asp?p=29803

And for you it is important to understand the router on a stick principales with subinterfaces, look for some informations via google or other searchengines... trust me you find a lot and if you have more questions don't hesitate and ask

greets Martin         

martin_knorre
Level 1
Level 1

defenitly you need the .1q trunking, you want to allow the configured vlan tagging over this link, so you go to the configuration interface and configure the vlans.

In your case exactly server vlan, native vlan (1), dmz etc.

I would suggest you to configure the switch via the cli, its a bit harder but you have better control of the configuration.

And on the Firewall you create vor every vlan an interface which has the dot1q trust for the vlan.

And regarding to your question a bridging between VLAN must be done over a Layer 3 instance like a router or firewall.

Regards Martin    

I'm just a little weary of using the cli to configure the switch/asa, though I can appreciate that it's a lot easier.

I believe the switch is set up correctly (the port type is set tp trunk), but dont know how to get to the cli for it.

Is there a command to check if the firewall interface is setup to handle 802.1q?

I'm at a point now where the asdm packet tracer tool says a packet is allowed between 2 ip addresses (inside to bt_dmz, screenshot included) but I still can't ping or remote desktop. Not sure I quite understand why that's the case

Yes, when you configure subinterfaces on an ASA physical interface, it will automatically change it to a trunk port. So there is nothing you need to

modify/add on the ASA physical interface.

Next would be to check where it's failing. As per your ASA packet tracer, it passes through all stages, that means, nothing is incorrect from the ASA point of view.

A few things to check:

1) The hosts that you are trying to reach, can you please check if personal firewall, etc is enabled as it can block inbound connection from different subnet if it's enabled. Try to disable and see if it works.

2) I assume that the hosts default gateway is configured to be the corresponding ASA interfaces ip address? If not, do they have the correct route?

3) Lastly, are you able to ping from the same subnet and/or RDP from within the same subnet?

Also please add inspect for icmp as follows:

policy-map global_policy
class inspection_default

     inspect icmp

Thanks Jen, that was pretty helpful!


I've checked the test machine and disabled the windows firewall which now allows me to ping and remote desktop across successfully.

I'm guessing I just need to spend time tweaking the default rules.

The only issue is that I've had to change the computer's default gateway to the ASA insterface, not the PIX that currently serves out. So now I can access the server, but it can't get to the BT line.

I think I might try bin the PIX and run both external links through the ASA. That way the ASA interface and the route out is on the same gateway.

Or, alternatively, if you don't want to change the default gateway, you can add static route on the PC for the network that you would like to reach to point towards the ASA interface. However, you would need to add the static route on all the PCs that you want access to those servers LAN.

Hey, got another question regarding this vlan and interfaces.

The current plan is to run both outside lines through the ASA and I figured that I could just set the second line's interface to vlan30.

However, looking on the ASDM, it won't let me change Ethernet0/2 from native. (BT_outside is the new outside line)

Is this something to do with subinterfaces? Bascially I want the BT_DMZ (which is on vlan 30) to be serving out on the BT_outside line.

everything is fine, the incoming traffic from BT is untagged (normally) so you leave the interface in native mode.

And if you want to direct the VLAN 30 traffic to the BT, set the subinterface of the BT with default gateway 195.x.x.x.

Regards Martin

Review Cisco Networking for a $25 gift card