Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1952
Views
5
Helpful
5
Replies

static route ASA 5506-x firewall to L3 Switch

Go to solution
Hanif Saharudin
Level 1
Level 1

‎03-26-2017 08:45 PM - edited ‎03-08-2019 09:55 AM

Dear Cisco Expert,

I unable to perform static routing inside ASA interface.

If I perform command "ip routing" on my L3 Switch, I've trouble to control the L3 switch InterVLAN.

(I don't want VLAN 100(OLEO) and VLAN 101(ESTER) talk each other, Only VLAN 102(PHD) can talk to Outside, VLAN 100(OLEO) and VLAN 101(ESTER)

My question is, this network design can be work ?.Or I need re-design and add another VLAN for Link to ASA?

Please help me on this.

Thanks.

Hanif

Labels:
Preview file
5 KB
Preview file
196 KB
Preview file
4 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎03-27-2017 04:18 AM

Hanif,

in that case do not put any SVI's on your switch with IP addresses (so under your interface vlan 100, 101 and 102 dont configure  an ip address).  Just run a trunk between the switch and the firewall and put each VLAN;s default gateway IP address on the inside interface of the ASA and apply your access lists on those interfaces.

so the only IP address on your switch is on so you can telnet to it, thats it.

Please rate if helpful

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP

‎03-27-2017 05:24 AM

Hi

As Dennis mentioned, you could use one only link between the Firewall an L3 switch, the gateways will be created on the firewall, it is also called intervlan routing, similar to routing in a stick scenario, this is an example:

Scenario

SWITCH -----trunk ---- Firewall

FIREWALL

interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif OLEO-VLAN
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/0.101
vlan 101
nameif ESTER-VLAN
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.102
vlan 102
nameif PHD
security-level 100
ip address 10.2.1.1 255.255.255.0

SWITCH

vlan 100

vlan 101

vlan 102

interface g1/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown

* You will only create the vlans on the switch, no SVIs there. 

Every internal network with security level 100 in order to communicate only if you are allowing the access. 

Please rate the comment if it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

5 Replies 5

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎03-27-2017 04:18 AM

Hanif,

in that case do not put any SVI's on your switch with IP addresses (so under your interface vlan 100, 101 and 102 dont configure  an ip address).  Just run a trunk between the switch and the firewall and put each VLAN;s default gateway IP address on the inside interface of the ASA and apply your access lists on those interfaces.

so the only IP address on your switch is on so you can telnet to it, thats it.

Please rate if helpful

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP

‎03-27-2017 05:24 AM

Hi

As Dennis mentioned, you could use one only link between the Firewall an L3 switch, the gateways will be created on the firewall, it is also called intervlan routing, similar to routing in a stick scenario, this is an example:

Scenario

SWITCH -----trunk ---- Firewall

FIREWALL

interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif OLEO-VLAN
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/0.101
vlan 101
nameif ESTER-VLAN
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.102
vlan 102
nameif PHD
security-level 100
ip address 10.2.1.1 255.255.255.0

SWITCH

vlan 100

vlan 101

vlan 102

interface g1/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown

* You will only create the vlans on the switch, no SVIs there. 

Every internal network with security level 100 in order to communicate only if you are allowing the access. 

Please rate the comment if it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
Hanif Saharudin
Level 1
Level 1

‎03-30-2017 12:07 AM

Dear Julio,

Thanks a lot for your details explanations. 

Now we setup the Layer 3 switch to ASA as trunks port.

Easy understand your explanations.  =)

Thanks,

Hanif 

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to Hanif Saharudin

‎03-30-2017 04:23 AM

It was a pleasure my friend.

Have a great day!

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Hanif Saharudin
Level 1
Level 1

‎03-30-2017 12:09 AM

Dear Dennis,

Thanks for your suggestions. 

Now understand the link from switch to ASA.

Thanks again =))

Regards,

Hanif

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card