Access List help

Unanswered Question
May 29th, 2007
User Badges:
  • Silver, 250 points or more


i hav the network like this........

Internet Router----->ASA------>3750

now on 3750 i hav created 5 vlans, ASA will be a part of 1 vlan in 3750, rest 4 vlans will be on LAN.

my requirement is......

all the 4 vlans users in LAN should be accessed based on the rules applied in ASA & not in 3750.

which means all the routing should happen via ASA & not 3750, but VLAN should be created only in 3750..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cpembleton Wed, 05/30/2007 - 04:39
User Badges:
  • Silver, 250 points or more

In order for your ASA to do the routing you'll need to create a sub-interfaces off the inside interface. One for each vlan on the switch.


interface gigabitEthernet0/0

no shut

interface GigabitEthernet0/0.10

description VLan 10

vlan 10

nameif inside10

security-level 100

ip address


interface GigabitEthernet0/0.20

description Vlan 20

vlan 20

nameif inside20

security-level 100

ip address

interface GigabitEthernet0/0.30

vlan 30

nameif inside30

security-level 100

ip address



Please rate if helpful.

Amit Singh Wed, 05/30/2007 - 05:58
User Badges:
  • Cisco Employee,

Hi Anand,

Agree with Chad on this. You have to configure a dot1q trunk between 3750 and ASA. Donot create the SVI's on 3750 and set the gateway for the hosts as the sub-interface IP of the ASA for respective vlans.

Please see the document below for more help.

HTH,please rate if it does.

-amit singh

Anand Narayana Wed, 05/30/2007 - 21:05
User Badges:
  • Silver, 250 points or more

Hi Cblem & Amith,

Thanks for ur reply, but i hav PIX Version 6.3(3) running on my Firewall on other side office, so how do i create sub-interface. the interface in pix is like this........ "ip address inside"

Anand Narayana Wed, 05/30/2007 - 23:32
User Badges:
  • Silver, 250 points or more

can i have something like this for having multiple logical interfaces.

nameif vlan2 inside security50

nameif vlan3 inside security50

nameif vlan4 inside security50

ipaddress inside

ipaddress inside

ipaddress inside

if not, how do i assign a single with multiple ip address for each & every vlan?

how to i connect to the switch, i mean if i put "switch port mode trunk" on the switch side, what command should i need on the PIX "inside" interface? in router the command is "encapsulation dot1Q 1"


This Discussion