Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
3
Replies

ASA VLAN Trunking - Firewalling - Routing issue

ddidier
Level 1
Level 1

‎08-21-2007 08:00 AM - edited ‎03-11-2019 04:00 AM

Let me start by defining the end goal: Utilize an active/active ASA to filter traffic on specific network segments (VLANs). There is a 3750 stack which is acting as the VTP master. I'm having trouble understanding how routing will work in this scenario. I've defined the IP addresses of my test VLAN on the ASA, set the gateway of my client to this IP. How should the routing on the ASA be defined? Should I setup a seperate VLAN just for routing? I'm very confused at this time about the proper configuration for my end goal.

Does there need to be an IP on the 3750 for each VLAN, or will this get routed through a default route?

Labels:
0 Helpful
3 Replies 3

ddidier
Level 1
Level 1

‎08-21-2007 10:33 AM

Here's some more information. I've simplified my config and I can't get Access-controls to work on VLAN 16. I have two VLANs defined on the ASA 16 and 80:

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.16

description WAN VLAN Firewall

vlan 16

nameif WAN

security-level 50

ip address 172.25.0.254 255.255.240.0

!

interface GigabitEthernet0/0.80

description PROD-OPP Firewall Interface

vlan 80

nameif PROD-OPP-VLAN

security-level 75

ip address 172.25.80.254 255.255.240.0

My switch looks like this:interface GigabitEthernet1/0/12

description NO DESCRIPTION

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,80,255

switchport mode trunk

spanning-tree portfast

interface Vlan16

description WAN

ip address 172.25.0.200 255.255.240.0

!

interface Vlan64

description Office

ip address 172.25.64.1 255.255.240.0

!

interface Vlan80

description PROD-OPP VLAN

ip address 172.25.80.1 255.255.240.0

ip helper-address 10.1.5.153

I've set my gateway on the PC to 172.25.0.254 (ASA IP). no matter what I do for ACLs, the ASA never shows any hits, if I do a sh conn, I see no established connections. I'm trying to connect back to devices in the 10.x.x.x network which the switch knows about. The system connects to them fine and if I do a traceroute it shows the 172.25.0.200 IP as a hop which makes sense. But it seems it isn't using the ASA. Does anyone have any ideas on this?

Thanks,

Dan

0 Helpful

rigoberto.cintron
Level 1
Level 1
In response to ddidier

‎08-21-2007 10:50 AM

If you want traffic between vlan's 16 and 80 to go through the ASA, remove the ip addresses from the vlan interfaces 16 and 80 in the switch.

0 Helpful

ddidier
Level 1
Level 1
In response to rigoberto.cintron

‎08-21-2007 05:03 PM

Thanks - I see that, but I was having problems understanding how traffic would be routed back to the VLANs on the network that aren't configured on the sub-interfaces. The answer was to configure a dedicated interface connected to the 3750 switch stack for the purposes of routing only - no trunking. Trunking is handled through a seperate dedicated interface back to the switch stack. This configuration is currently working as expected. Thanks for the help.

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card