04-24-2015 02:55 PM - edited 03-07-2019 11:43 PM
We are setting up a new network using a Cisco 2960-X switch through a Cisco ASA 5525 to get to the Internet. The Cisco 2960-X is set up with VLANS and the interface with subinterfaces have been created on the Cisco ASA. As far as we can tell we are set up correctly on the switch side. We can connect (ping) Cisco ASA interface and subinterface IP addresses from the switch and we can connect (ping) the subinterface IP on the Cisco ASA from a workstation (subinterface for the VLAN only).
We are unable to connect to the default gateway (external connection), or any other port on the Cisco ASA from the new network. We suspect we need to set up static NATing but having difficulty figuring out what NAT rules we need to create. Our ASA is running version 9.1 and most of the information we have found on-line is for older versions as the NAT commands have changed considerably.
This diagram show approx. how we are set up.
What do we need to do to establish Internet connectivity from a VLAN through the Cisco ASA?
04-24-2015 05:39 PM
I'm going to hazard a response -- if I'm off, please let me down gently...
I'm thinking you don't need to create the subinterfaces on the ASA like you do on a regular router. I would say uplink with a trunk from the switch with all 3 VLANs, and then create an SVI for each of the VLANs on the ASA (I'm not sure that's possible because I'm not familiar with the 5525 hardware). But I'm assuming that the ASA can trunk. If that works, I'm thinking you would assign all 3 VLANs to the inside interface.
Does that sound possible?
04-27-2015 06:05 AM
Jeremy,
Thanks for your response. The ASA does support trunking, but only through subinterfaces.
Gene
05-04-2015 07:43 AM
OK. Well, like I said, I don't know that particular platform.
I've configured ASA 5505s for smaller networks where, for example, port 0 would be the outside interface, and then port 5 would connect on the inside to an ISR (with a built-in switch). The router (a router-on-a-stick setup) would then have several switchports all trunked to layer 2 switches. Then I use switch virtual interfaces for each of the VLANs on the ISR (kind of a poor man's distribution layer) and configure the default gateway on the clients to be the SVI of that VLAN/subnet. And it seems to work fine. But my platform/networks is/are not nearly as robust as yours, so...
Good luck, though! I thought I'd keep this in the top of the unanswered list by responding so others with more experience might take a look.
Cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide