Access List help

Unanswered Question
May 29th, 2007
User Badges:
  • Silver, 250 points or more

Hi,

i hav the network like this........


Internet Router----->ASA------>3750


now on 3750 i hav created 5 vlans, ASA will be a part of 1 vlan in 3750, rest 4 vlans will be on LAN.

my requirement is......

all the 4 vlans users in LAN should be accessed based on the rules applied in ASA & not in 3750.

which means all the routing should happen via ASA & not 3750, but VLAN should be created only in 3750..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cpembleton Wed, 05/30/2007 - 04:39
User Badges:
  • Silver, 250 points or more

In order for your ASA to do the routing you'll need to create a sub-interfaces off the inside interface. One for each vlan on the switch.


Example:

interface gigabitEthernet0/0

no shut


interface GigabitEthernet0/0.10

description VLan 10

vlan 10

nameif inside10

security-level 100

ip address 192.168.1.10 255.255.255.0

!

interface GigabitEthernet0/0.20

description Vlan 20

vlan 20

nameif inside20

security-level 100

ip address 192.168.1.20 255.255.255.0

interface GigabitEthernet0/0.30

vlan 30

nameif inside30

security-level 100

ip address 192.168.1.30 255.255.255.0


Thanks,

Chad


Please rate if helpful.

Amit Singh Wed, 05/30/2007 - 05:58
User Badges:
  • Cisco Employee,

Hi Anand,


Agree with Chad on this. You have to configure a dot1q trunk between 3750 and ASA. Donot create the SVI's on 3750 and set the gateway for the hosts as the sub-interface IP of the ASA for respective vlans.


Please see the document below for more help.


http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006


HTH,please rate if it does.


-amit singh

Anand Narayana Wed, 05/30/2007 - 21:05
User Badges:
  • Silver, 250 points or more

Hi Cblem & Amith,

Thanks for ur reply, but i hav PIX Version 6.3(3) running on my Firewall on other side office, so how do i create sub-interface. the interface in pix is like this........ "ip address inside 192.168.1.1 255.255.255.0"

Anand Narayana Wed, 05/30/2007 - 23:32
User Badges:
  • Silver, 250 points or more

can i have something like this for having multiple logical interfaces.


nameif vlan2 inside security50

nameif vlan3 inside security50

nameif vlan4 inside security50


ipaddress inside 192.168.1.1 255.255.255.0

ipaddress inside 192.168.2.1 255.255.255.0

ipaddress inside 192.168.3.1 255.255.255.0


if not, how do i assign a single with multiple ip address for each & every vlan?

how to i connect to the switch, i mean if i put "switch port mode trunk" on the switch side, what command should i need on the PIX "inside" interface? in router the command is "encapsulation dot1Q 1"

Actions

This Discussion