I have the setup as below.
3750 (vlan 2,3,4,5) --> ASA --> 1700 router --> VPN to Remote site
vlan2- 10.1.100.1/24 (user)
vlan3- 10.1.101.1/24 (server)
vlan4- 10.1.1.1/24 (WAN segment) - ASA inside is connected to gig1/0/10 on 3750 and configured as access port. Gig1/0/10 is assigned on vlan4
vlan 5 - 10.1.102.1/24 (management)
I am using static routes through the whole network
3750 default route is ASA inside ip
ASA default route is 1700 router
There is vpn between 1700 router to remote site
1. can the port gig1/0/10 connecting from 3750 to ASA configured as access port or should that be trunk port?
2. As I am using the static routes to the remote networks through the VPN, does all the routes to be configured on every device in the path, eg. on 3750, ASA and 1700 devices?
3. Does the ASA and the router need to have the routes for internal vlans
4. Do I have to use "switchport trunk allowed vlan all" command on 3750?
1) if you want the ASA to firewall between the vlans yes it should be a trunk. If you want all traffic to vlans other than 4 to route via your 3750 then no.
2) No if your default routes are pointing to the next hop devices. The 1700 doesn't need a route either as the VPN crypto access-list will pick up the traffic.
3) The ASA will if you are not running a trunk. The 1700 router will also.