Sub interface using ASA5510

Unanswered Question
Apr 25th, 2009
User Badges:

Hi,


I have ASA5510 whose INSIDE interface is connected to a Cisco Cat 2960G switch (L2),Now I have 3 VLAN configured in the Cisco2960G,and a TRUNK port is connected to a ASA5510 Inside interface,that inside interface is configured as a TRUNK,which is automatic (802.1q enabled),in this case Is it possible to have the Inter VLAN communication between these 3 VLANs.If so,how to do it,or is there any requirement of L3 switch or router to have this interVLAN communication?


Please clarify my doubts.


Regards,


Newzion123.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sat, 04/25/2009 - 06:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Newzion123


Yes the ASA will allow the inter-vlan communication so you don't need an additional L3 switch/router.


First for configuring subinterfaces -


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006


then you can either


1) give each subinterface a different security level and setup NAT and access-lists as you would with normal physical interfaces


or


2) give the subinterfaces the same security level and then add this to your config -


ASA(config)# same-security-traffic permit inter-interface


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html#wp1039276


Jon

newzion123 Sun, 04/26/2009 - 04:44
User Badges:

Ji Jon,


thanks a lot for extending your support,i will try doing the same and let me inform you.


Regards,


newzion.

gbenga-olubisi Sat, 04/25/2009 - 23:45
User Badges:

On the ASA5510 inside interface, you need to create subinterface (vlans) and name them (nameif) appropriately. You may assign same security-level to all the subinterfaces; if you do, you will need to config the command "same-security-traffic permit inter-interface" in global configuration. I hope this helps

cannan.ilangova... Sun, 04/26/2009 - 23:13
User Badges:

inter-vlan routing in PIX/ASA is not working as it is intended to...i believe PIX/ASA have an L3 engine which takes care of this routing stuff (as otherwise, it would not have support for RIP and OSPF in v7.2)...but for some reasons, i am not able to get the box do it...any help from the experts would be greatly appreciated...


i have the following topology


FW1(PIX)---FW2(PIX)

| |

| |

CoreSw1---CoreSw2

| |

\ /

\ /

AccessSwitch

/ \

/ \

PC1 PC2


the relevant configurations from my PIX is below...PIX1 and PIX2 are in Failover Cluster Mode...no question of NAT as i have disabled it using the Global configuration command "no nat-control"


interface e1

nameif TRUNK

security-level 100

no ip address


interface e1.10

vlan 10

nameif RMS-SD

security-level 100

ip address 10.116.205.130 255.255.255.128


interface e1.80

vlan 80

nameif RMS-DS

security-level 100

ip address 10.116.217.1 255.255.255.0


access-list inbound_in extended permit ip any any

access-list outbound_out extended permit ip any any


access-group inbound_in in RMS-SD

access-group inbound_in in RMS-DS

access-group outbound_out out RMS-SD

access-group outbound_out out RMS-DS

access-group inbound_in in TRUNK

access-group outbound_out out TRUNK


same-security-level permit inter-interface-traffic

same-security-level permit intra-interface-traffic



PC1 Gateway (PIX) : 10.116.205.130

PC1 interface IP : 10.116.205.132


PC2 Gateway (PIX) : 10.116.217.1

PC2 interface IP : 10.116.217.3


I am able to PING the Gateway(PIX) of PC1 from PC1 and the Gateway(PIX) of PC2 from PC2. But I am not able to reach/ping PC2 from PC1 and vice-versa.


cannan.ilangova... Mon, 04/27/2009 - 00:48
User Badges:

i was wrong...it indeed was working...i was attempting to ping the gateway IP of PC1 from PC2 and vice-versa which is NOT working though..


but my attempt to ping PC1 from PC2 and vice-vera was successful...


thanks to all experts for their suggestions!!!

Actions

This Discussion