cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
594
Views
0
Helpful
6
Replies

ASA with VLANs ...... does dot1q actually work ?

mcroft
Level 1
Level 1

Hi,

I have a very simple config :

1x ASA5510 firewall and 1x 2950 ethernet switch.

I am trying to get dot1q trunking working between the two, and utlize VLANs through one single physical connection.

This is easy right ?

<--------------ASA------------------->

interface Ethernet3

speed 100

duplex full

nameif DMZ1-TEST

security-level 6

no ip address

!

interface Ethernet3.1

vlan 700

nameif DMZ1-TEST-VLAN700

security-level 6

ip address 172.18.10.1 255.255.0.0

!

interface Ethernet3.2

vlan 701

nameif DMZ1-TEST-VLAN701

security-level 6

ip address 172.19.10.1 255.255.0.0

<------------2950 SWITCH---------------->

interface FastEthernet0/23

description *** UPLINK to ASA TEST ***

duplex full

speed 100

switchport trunk encapsulation dot1q

switchport mode trunk

!

------------------------------------------

However, I cannot see any traffic between the two devices, infact, I am unable to ping the switch from the firewall and visa-versa.

if I do a show int on the firewall, I see ..... "390349 L2 decode drops" THIS IS NOT GOOD I ASSUME !

So, I think there is a problem with the trunk.

Any Ideas or debug I could apply ?

Any help would really be appreciated.

Thank you.

Matt C

1 Accepted Solution

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

Hi Matt,

have you created the l2 vlans in the switch for the respective FW subinterfaces?

switch

vlan database

vlan 700 name DMZ1-TEST-VLAN700

vlan 701 name DMZ1-TEST-VLAN701

when u place host on a specific switchport conectivity should work .

switch

interface fe0/x

Description PC1_address_172.18.10.30/16

switchport access vlan 700

u should be able from PC ping its default gateway 172.18.10.1

same principle for the other subnet vlan 701

communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excempt acl.

Regards

Jorge Rodriguez

View solution in original post

6 Replies 6

JORGE RODRIGUEZ
Level 10
Level 10

Hi Matt,

have you created the l2 vlans in the switch for the respective FW subinterfaces?

switch

vlan database

vlan 700 name DMZ1-TEST-VLAN700

vlan 701 name DMZ1-TEST-VLAN701

when u place host on a specific switchport conectivity should work .

switch

interface fe0/x

Description PC1_address_172.18.10.30/16

switchport access vlan 700

u should be able from PC ping its default gateway 172.18.10.1

same principle for the other subnet vlan 701

communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excempt acl.

Regards

Jorge Rodriguez

THANK YOU for your help.

I was being an wally, and only created the vlan interface on the switch and not the VLANs itself.

As soon as I read the first two lines of your email ... I knew immediately what I had done.

Silly me.

Thank you for you help. Appreciated !

Matt, you are welcome and glad I could help and all is fine I assume, don't forget to rate helpful posts.

Bst Rgds

Jorge

Jorge Rodriguez

Hi Jorge

Can PC1 communicate with PC2 which has ip address 172.19.10.34 ....

Will intervlan commnication work with ASA as a L3 device .

Please can you elaborate " communication between the two subnets can be accomplished with inter-interface command in asa and a nonat excem"

I have re4ad somewhere that intervlan communication via the same physical trunk cannot work???

Is that true?

Many Thanks

Fareed

I have re4ad somewhere that intervlan communication via the same physical trunk cannot work???

Hi Fareed, This is not true! , you may have subinterfaces with same sec level same physical trunk, or simply physical interfaces again with same sec level and have communication between the two networks as long you have configured same-security-traffic permit inter-interface statement along with a nonat exempt rule.

Regards

Jorge

Jorge Rodriguez

Thanks alot Jorge..

FYI here is the link which was the cause of my confusion.. if you scroll right at the bottom you will see a conclusion with a reference to a TAC case..

I typed these words in google "same-security-traffic permit inter-interface trunk asa"

and 7th result from the top from experts-exchange.com is the link iam referring to..

Regards

Fareed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: