ASA 5505 Vlan Confusion

jbrunsting · ‎01-22-2008

I am running an ASA 5505, brand new and I'm trying to configure it to run for the first time. let me explain a bit about the strange topology my network has, however: we have VoIP service with our telco, and so there is a managed switch on the inside of the firewall, managed by the telco, which separates the voice and data traffic. data traffic is running on vlan 2 on the switch. So I'm trying to make my internal interfaces run on vlan 2. But every time I try changing the vlans, it seems to lock me out from getting to the internet! Right now, I have the ASA running in a test environment and this configuration seems to be working for me at the moment, though I don't have a switch connected sending vlan 2 to it currently, just my laptop plugged into port e0/1. Port e0/0 is the uplink to the T1 router. If I switch all the IPs and everything around between VLAN1 and VLAN2, including the ports, it break everything. If I try even using switchport access vlan 2 on port e0/1, it breaks everything. Can anyone help tell me what I'm missing?

Incidentally, this is not even close to finished. This ASA will need to be connected via site-to-site VPN to two other sites and several ports forwarded to inside addresses as well. But this one part is what is really stopping everything else.

JORGE RODRIGUEZ · ‎01-22-2008

Jackson, Im going to jump in here and try to help you out so that post does not loose momentum in forum. As I read your post I sort of understand your dylema but not %100.

You said that the telco managed switch runs two vlans one for voice and one for DATA being vlan2, so this switch is consider and inside switch in relation to your ASA5505 inside interface, so having said that your ASA5505 interface needs to be connected to telco managed on a switchport in vlan2, is t here where you have the problem? does VLAN2 on switch and all of its ports on vlan2 belongs to 10.0.2.0/24 subnet? does your PCs on vlan2 have the ASA inside interface IP as their default gateway?

when you have the problem accessing the internet can you ping the inside interface of ASA5505?, if you could try console to the ASA while you have this issue try ping the default route of ASA or ping something out in the internet to narrowed down the issue.

Rgds

Jorge

Jorge Rodriguez

jbrunsting · ‎01-24-2008

Well, here's hoping I can clear myself up a little then.

The telco managed switch is inside, yes. It is what connects directly to the inside interface of the 5505. However, due to the way they've segregated the voice traffic, that means that data traffic (and the inside interfec specifically) is on vlan 2. Now, I've noticed in the ASDM that my inside switch ports are associated with vlan 1 and my outside with vlan 2. However, that did not seem to work. As you can see from the config I put up, interface Vlan1 is right now labeled as my inside interface and interface Vlan2 is my outside interface. I need to change those around, but for some reason when I do so, everything stops working. Basically, I can't get outside anymore.

jbrunsting · ‎01-29-2008

I've added another config file which might help, it's the config from the switch which is also Cisco equipment. Port 23 is coming from the outside world to the firewall, and port 22 is going from the firewall to the inside network.

jbrunsting · ‎02-01-2008

Just in case anyone comes here seeking a clue, I got at least part of my issue fixed. Turns out the outside interface needed to be on vlan 3 and the inside on vlan 1. Once I made those changes (and turned interface Vlan3 into my outside interface) everything worked fine. Well, for internal users. Traffic originating from outside is still broken.