Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3888
Views
0
Helpful
4
Replies

Switch with ASA

Go to solution
solid_978
Level 1
Level 1

‎06-18-2017 01:46 PM - edited ‎03-08-2019 11:01 AM

We are trying to set up some topology interconnected with ASA, in the specific

Switch 3750(here are localized the client) -            6500 (VRF CERT without RD)-    FW ASA 5520 TRANSPARENT mode-                6500 VRF CERT-SEC with Route distinguisher

the 6500 is the same device and it has two interface in same subnet but different VRF, while the firewall has two interface in bridged mode,
however my version in ASA did not contain switchport command

is this a configuration that does work?

In the past I implemented a config with interface in the 6500 in Layer 2 (access or trunk) and in the asa the two interface in bridged mode
with BVI address, in short I have not need a routing table on the ASA due it span domain layer 2

however this configuration  does not work.
Here there is the routing eigrp global between 3850 switch CERT and 6500, on 6500 vrf CERT toward SWITCH CERT and one interface on ASA, and VRF CERT-SEC on 6500 toward second interface of ASA and interface upstream 6500 as MPLS.

if I am not in mistake transparent mode is something like Layer 2 firewall that acts as a jump in the wire and perhaps this conf is not applyable
Can someone address on the right way?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
layer1981
Level 1
Level 1

‎06-19-2017 01:14 AM

Hi solid_978,

As Georg Pauwen has mentioned your setup is not very clear mainly because not sure what benefit you're getting by having two the same subnets on two different VRFs. It would be helpful if you could show your config.

Regarding to ASA in transparent mode...I have 5510 and it also do not have the switchport available.

And it is like (as you said) a bump in the wire.

If you have a switches on inside and outside of your ASA then you should configure BVI interface (or few BVI interfaces if you have few subnets) and then configure your switch ports (towards ASA) as trunk.

From security reason you should use a different VLANs IDs on an outside interface. For example VLAN 5 on you inside switch will be changed to vlan 50 on your outside switch port. I'm assuming you know how to configure the BVI on your ASA so just remember about these different VLANs IDs while you are configuring your ASA.

One more thing which you should be aware of it's the transparent ASAs are allowing the BPDU frames to go through them. This did catch me one day and I took the whole company internet connection down. If you want stop these BPDUs to travel you need to put the bdpufilter on the inside switch trunk interface.

Give me shout if you need more help.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎06-18-2017 02:21 PM

Hello,

not sure if I completely understand your setup. Can you not put both interfaces on the ASA in the same bridge group ?

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎06-18-2017 02:47 PM

I don't think the 5520 supports the "switchport" command (only 5505 does). 5520 comes with 4 ports (layer-3) see page 10 in this link:

For trunk interfaces, you can use sub-interfaces.

http://www.cisco.com/web/SG/solutions/smb/velocity/Security/ASA/Downloads/asa5500_datasheet.pdf

HTH

0 Helpful

Go to solution
layer1981
Level 1
Level 1

‎06-19-2017 01:14 AM

Hi solid_978,

As Georg Pauwen has mentioned your setup is not very clear mainly because not sure what benefit you're getting by having two the same subnets on two different VRFs. It would be helpful if you could show your config.

Regarding to ASA in transparent mode...I have 5510 and it also do not have the switchport available.

And it is like (as you said) a bump in the wire.

If you have a switches on inside and outside of your ASA then you should configure BVI interface (or few BVI interfaces if you have few subnets) and then configure your switch ports (towards ASA) as trunk.

From security reason you should use a different VLANs IDs on an outside interface. For example VLAN 5 on you inside switch will be changed to vlan 50 on your outside switch port. I'm assuming you know how to configure the BVI on your ASA so just remember about these different VLANs IDs while you are configuring your ASA.

One more thing which you should be aware of it's the transparent ASAs are allowing the BPDU frames to go through them. This did catch me one day and I took the whole company internet connection down. If you want stop these BPDUs to travel you need to put the bdpufilter on the inside switch trunk interface.

Give me shout if you need more help.

0 Helpful

Go to solution
dperezoquendo
Level 1
Level 1
In response to layer1981

‎06-19-2017 02:47 PM

Hello,

Minus whatever you are trying to do with the VRFs, I have pretty much the same setup with a pair of 5510s. You don't need the switchport command on the ASAs. The BVI and access vlan on switch works well enough.

On ASA:

int eth0/0

nameif outside

bridge-group 1

!

int eth0/1

nameif inside

bridge-group 1

!

int bvi1

ip address <ip-address> <subnet mask>

On Switch:

int g0/47

sw acc vlan ##

sw mo acc

sw nonegotiate

!

int vlan ##

ip addr <same subnet as ASA bridge-group>

0 Helpful
Customers Also Viewed These Support Documents