I'm in the process of setting up a guest network. I set all of the ports with APs and the wireless controller to trunk, as well as the ports connecting switches. I created VLAN 20 for a guest network, and set an interface on an ASA 5512-x as the default gateway/DHCP server for this network. The ASA is connected to a switch on an access port for VLAN 20. Nothing was talking, so I decided to troubleshoot by setting another trunk port on the same switch, and connecting a laptop directly to it. I set the allowed VLANs of that port to 1 and 20 (The native VLAN was never changed from 1), but still could not communicate with said interface on the ASA. I found that if I set the native VLAN of the trunk port to VLAN 20, it would have no issues talking to the gateway. However, I could no longer communicate with anything on VLAN 1, even though it was allowed on that trunk port. The switch is a Catalyst 3560. Trying to figure out if I'm missing something.
I am somewhat confused about what is going on here. Can you clarify something for us?
- is it true that there is one connection between the switch and the ASA? Or is there more than one connection?
You have identified G1/0/6 as the switch port connecting to the ASA. It is configured as a trunk but is restricted to carry only vlan 20. How do you expect vlan 1 or any other vlan to communicate with the ASA?
On the ASA I do not see any interface set up to process dot1Q encapsulated frames. So it does not know how to communicate with any trunk on the switch. How do you expect multiple vlans on the switch to communicate with the ASA?
"- is it true that there is one connection between the switch and the ASA? Or is there more than one connection?"
Yes. There are two separate connections to the ASA. One on the physical inside interface (for inside net), and one on the dmz interface (for guest net).
"You have identified G1/0/6 as the switch port connecting to the ASA. It is configured as a trunk but is restricted to carry only vlan 20. How do you expect vlan 1 or any other vlan to communicate with the ASA?"
Port 6 is connected to the DMZ interface only, so only VLAN20 would need to pass through here. I don't need VLAN1 to pass through this port, as the inside interface on the ASA is connected to a different port.
"On the ASA I do not see any interface set up to process dot1Q encapsulated frames. So it does not know how to communicate with any trunk on the switch. How do you expect multiple vlans on the switch to communicate with the ASA?"
I thought with the newer ASAs that I would be able to directly connect a physical interface (DMZ) to the switch and have that switchport's native VLAN set to 20. Going to try with a subinterface on the ASA, set to VLAN 20, if you believe that might be what the problem is.
Thanks for the clarification that there are 2 physical connections from switch to ASA. We will focus on the interface for dmz which connects to G1/0/6. There is inconsistency about whether you want this to operate as a trunk or as an access port. Both devices need to have the same approach. Either both should treat it as a trunk or both should treat it as an access interface. The current config of the switch port forces it to send only untagged frames (so what is the point of treating it as a trunk?). And the current config of the ASA treats it as an access interface. If you want only vlan 20 to communicate over this interface then I see no point in trying to have either side treat it as a trunk. My suggestion is to config the switch port G1/0/6 as an access port in vlan 20 and to leave the interface on the ASA as a standard interface (access port).
We do not know anything about the PC that you have connected on G1/0/38 and that makes it difficult to know what is going on. The switch port is set as a trunk with two vlans (1 and 20 where 1 is the native vlan). We do not know whether the PC has an Ethernet interface capable of trunking (and so capable of sending tagged frames and being in vlan 20) or whether it has a normal Ethernet interface which sends untagged frames and therefore it would be in vlan 1. Is that part of the issue you are dealing with?
I got everything working. After setting the port to the DMZ interface as an access port, I was able to get VLAN 20 traffic to be able to connect to the interface. The final issue I had was that guest network clients were not being assigned IPs, due to not being able to connect to the gateway. The guest interface on the wireless controller was still not pinging, due to it sharing a port using another switch, with the DMZ interface of the ASA. I moved the guest port of the controller to another trunk port on the main switch, and all is good now. Thanks for the help.
Thank you for posting back to the forum to let us know that you have it working and describing what you did to get it to work. That is helpful. +5 for bringing this discussion to a conclusion and telling us how you did it.
Please, verify just in case, that VLAN 20 is present on switch since there are no access ports in VLAN 20 and creating interface vlan 20 will not create vlan 20 by itself. If vlan 20 is not present on switch, all other configuration attempts will be useless (although command switchport trunk native vlan 20 should not be accepted if vlan 20 is not present on switch).
sh vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi1/0/7, Gi1/0/9, Gi1/0/11 Gi1/0/13, Gi1/0/14, Gi1/0/15 Gi1/0/16, Gi1/0/17, Gi1/0/18 Gi1/0/19, Gi1/0/20, Gi1/0/21 Gi1/0/22, Gi1/0/23, Gi1/0/24 Gi1/0/25, Gi1/0/26, Gi1/0/27 Gi1/0/28, Gi1/0/29, Gi1/0/31 Gi1/0/32, Gi1/0/33, Gi1/0/34 Gi1/0/35, Gi1/0/36, Gi1/0/37 Gi1/0/39, Gi1/0/40, Gi1/0/41 Gi1/0/43, Gi1/0/45, Gi1/1/1 Gi1/1/2, Gi1/1/3, Gi1/1/4 20 guest active Gi1/0/6 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
you have two options to correct your config:
- trunk to trunk :
ASA config side :
interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.108.1 255.255.252.0 standby 10.10.108.2 ! interface GigabitEthernet0/1.20 vlan 10 nameif dmz security-level 100 ip address 192.168.125.1 255.255.255.0 standby 192.168.125.253
Switch config side :
int gi 1/0/6
sw mode trunk ! that's all !
You only need one physical interface on ASA.
If you want, you can use two physicals interfaces (I dont know any case in will be usefull)
ASA side :
interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.108.1 255.255.252.0 standby 10.10.108.2 ! interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 192.168.125.1 255.255.255.0 standby 192.168.125.253
interface GigabitEthernet0/6 des DMZ
sw acc vlan 20
sw mode access ! interface GigabitEthernet0/7 desc LAN
sw mode access
Don't forget to rate if usefull, thanks