VLAN tagging on a Cisco ASA 5520?

Unanswered Question
Dec 6th, 2007
User Badges:

Hi, I have a Cisco ASA 5520 and a Cisco 3750 switch. I want to create 3 VLANS (like DMZ's) on this switch and get the ASA to use this via its gigabit port, how can I do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 12/06/2007 - 15:26
User Badges:
  • Purple, 4500 points or more

There is a physical connection between the fa0/1 on the switch and the ethernet 4 interface on the PIX/ASA.


*******************************************

Switch Configuration

*******************************************


interface FastEthernet0/1

description Connection to PIX Firewall

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100-103

switchport mode trunk

duplex full

speed 100

*******************************************

PIX/ASA Configuration

*******************************************

interface Ethernet4

description Trunk Only! DO NOT CONFIGURE!!

speed 100

duplex full

no nameif

security-level 10

no ip address

!

interface Ethernet4.100

description DMZ 100

vlan 100

nameif dmz101

security-level 10

ip address 10.10.100.254 255.255.255.0 standby 10.10.100.253

!

interface Ethernet4.101

description DMZ 101

vlan 101

nameif dmz101

security-level 10

ip address 10.10.101.254 255.255.255.0 standby 10.10.101.253

!

interface Ethernet4.102

description DMZ 102

vlan 102

nameif dmz102

security-level 10

ip address 10.10.102.254 255.255.255.0 standby 10.10.102.253

!

interface Ethernet4.103

description DMZ 103

vlan 103

nameif dmz103

security-level 0

ip address 10.10.103.254 255.255.255.0 standby 10.10.103.253

!


HTH and please rate.

husycisco Fri, 12/07/2007 - 01:22
User Badges:
  • Gold, 750 points or more

Hi Jorge

Just curious, what happens if Vlan x has 2 ports, one is trunk to ASA and one is trunk to a switch which has member vlans 101-103 through trunk? Should we define vlan IDs of other switch?

husycisco Fri, 12/07/2007 - 12:14
User Badges:
  • Gold, 750 points or more

I got confused by posts, I mean Collin not Jorge :)

Collin Clark Mon, 12/10/2007 - 05:54
User Badges:
  • Purple, 4500 points or more

Any port that is in that VLAN will be in the DMZ, assuming you have the VLAN on the trunks. Most people have separate switches for DMZ's from internal switches.


HTH

Actions

This Discussion