Access List help

Unanswered Question
May 29th, 2007

Hi,

i hav the network like this........

Internet Router----->ASA------>3750

now on 3750 i hav created 5 vlans, ASA will be a part of 1 vlan in 3750, rest 4 vlans will be on LAN.

my requirement is......

all the 4 vlans users in LAN should be accessed based on the rules applied in ASA & not in 3750.

which means all the routing should happen via ASA & not 3750, but VLAN should be created only in 3750..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cpembleton Wed, 05/30/2007 - 04:39

In order for your ASA to do the routing you'll need to create a sub-interfaces off the inside interface. One for each vlan on the switch.

Example:

interface gigabitEthernet0/0

no shut

interface GigabitEthernet0/0.10

description VLan 10

vlan 10

nameif inside10

security-level 100

ip address 192.168.1.10 255.255.255.0

!

interface GigabitEthernet0/0.20

description Vlan 20

vlan 20

nameif inside20

security-level 100

ip address 192.168.1.20 255.255.255.0

interface GigabitEthernet0/0.30

vlan 30

nameif inside30

security-level 100

ip address 192.168.1.30 255.255.255.0

Thanks,

Chad

Please rate if helpful.

Amit Singh Wed, 05/30/2007 - 05:58

Hi Anand,

Agree with Chad on this. You have to configure a dot1q trunk between 3750 and ASA. Donot create the SVI's on 3750 and set the gateway for the hosts as the sub-interface IP of the ASA for respective vlans.

Please see the document below for more help.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006

HTH,please rate if it does.

-amit singh

Anand Narayana Wed, 05/30/2007 - 21:05

Hi Cblem & Amith,

Thanks for ur reply, but i hav PIX Version 6.3(3) running on my Firewall on other side office, so how do i create sub-interface. the interface in pix is like this........ "ip address inside 192.168.1.1 255.255.255.0"

Anand Narayana Wed, 05/30/2007 - 23:32

can i have something like this for having multiple logical interfaces.

nameif vlan2 inside security50

nameif vlan3 inside security50

nameif vlan4 inside security50

ipaddress inside 192.168.1.1 255.255.255.0

ipaddress inside 192.168.2.1 255.255.255.0

ipaddress inside 192.168.3.1 255.255.255.0

if not, how do i assign a single with multiple ip address for each & every vlan?

how to i connect to the switch, i mean if i put "switch port mode trunk" on the switch side, what command should i need on the PIX "inside" interface? in router the command is "encapsulation dot1Q 1"

Actions

This Discussion