ASA VLAN Trunking - Firewalling - Routing issue

Unanswered Question
Aug 21st, 2007
User Badges:

Let me start by defining the end goal: Utilize an active/active ASA to filter traffic on specific network segments (VLANs). There is a 3750 stack which is acting as the VTP master. I'm having trouble understanding how routing will work in this scenario. I've defined the IP addresses of my test VLAN on the ASA, set the gateway of my client to this IP. How should the routing on the ASA be defined? Should I setup a seperate VLAN just for routing? I'm very confused at this time about the proper configuration for my end goal.


Does there need to be an IP on the 3750 for each VLAN, or will this get routed through a default route?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ddidier Tue, 08/21/2007 - 10:33
User Badges:

Here's some more information. I've simplified my config and I can't get Access-controls to work on VLAN 16. I have two VLANs defined on the ASA 16 and 80:


interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.16

description WAN VLAN Firewall

vlan 16

nameif WAN

security-level 50

ip address 172.25.0.254 255.255.240.0

!

interface GigabitEthernet0/0.80

description PROD-OPP Firewall Interface

vlan 80

nameif PROD-OPP-VLAN

security-level 75

ip address 172.25.80.254 255.255.240.0



My switch looks like this:interface GigabitEthernet1/0/12

description NO DESCRIPTION

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,80,255

switchport mode trunk

spanning-tree portfast


interface Vlan16

description WAN

ip address 172.25.0.200 255.255.240.0

!

interface Vlan64

description Office

ip address 172.25.64.1 255.255.240.0

!

interface Vlan80

description PROD-OPP VLAN

ip address 172.25.80.1 255.255.240.0

ip helper-address 10.1.5.153




I've set my gateway on the PC to 172.25.0.254 (ASA IP). no matter what I do for ACLs, the ASA never shows any hits, if I do a sh conn, I see no established connections. I'm trying to connect back to devices in the 10.x.x.x network which the switch knows about. The system connects to them fine and if I do a traceroute it shows the 172.25.0.200 IP as a hop which makes sense. But it seems it isn't using the ASA. Does anyone have any ideas on this?


Thanks,

Dan





rigoberto.cintr... Tue, 08/21/2007 - 10:50
User Badges:

If you want traffic between vlan's 16 and 80 to go through the ASA, remove the ip addresses from the vlan interfaces 16 and 80 in the switch.

ddidier Tue, 08/21/2007 - 17:03
User Badges:

Thanks - I see that, but I was having problems understanding how traffic would be routed back to the VLANs on the network that aren't configured on the sub-interfaces. The answer was to configure a dedicated interface connected to the 3750 switch stack for the purposes of routing only - no trunking. Trunking is handled through a seperate dedicated interface back to the switch stack. This configuration is currently working as expected. Thanks for the help.


Dan

Actions

This Discussion