LAN issues whenever ASA 5580-40 FW is connected to VLAN ports

Unanswered Question
Jun 15th, 2009
User Badges:

Hi,


I was trying to segment my internal server networks with Cisco ASA 5580-40 FW. The different servers were segmented into different vlans and works fine without the FW. However, whenever the FW DMZs are connected to ports associated to the different vlans some servers on same LAN stops communicating at Application level. When all the other vlans are shutdown leaving only the vlans where servers that are having issues resides, everything resumes work normally.


Don't know what issues are with the LAN. Could someone advise what could be going on here?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 06/15/2009 - 23:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Olensegun,

you may want to post this in the security/firewalling forum where you can get better help.


My first impression is that you can face a license limits issue because you say that :

>> When all the other vlans are shutdown leaving only the vlans where servers that are having issues resides, everything resumes work normally.


Or there is some form of conflict in the configuration


Hope to help

Giuseppe


o.oresotu Tue, 06/16/2009 - 02:29
User Badges:

Hi guisiar,


Thanks. I strongly feels it's a LAN issues. Traffic were not initially passing through the FW. The firewall DMZ were connected to the respective Vlan of the servers in the various subnets. Could this stop server comminatyion at application level?

Giuseppe Larosa Tue, 06/16/2009 - 03:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Olusegun,

it is diffcult to say something without more details.


the ASA being a FW can be blocking some servers/subnets or for a configuration issue or for some limitations (like the max number of vlans on the trunk if the link to the ASA is a L2 trunk)


Hope to help

Giuseppe


o.oresotu Tue, 06/16/2009 - 05:03
User Badges:

Hi giustar,


Thank you for your response. I actually have some of the interfaces of the FW DMZ configured as sub-interfaces (whc is L2) while the corresponding port it is connecting to on the switch is a trunk port carrying all Vlans. Do you think configuring vlan pruning on the switch will help?

Giuseppe Larosa Tue, 06/16/2009 - 23:58
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Olusegun,

I don't think this can solve but it helps.

However, defining on the switch side the set of allowed vlans with

switchport trunk allowed vlan


is something that makes the scenario more clean.


Hope to help

Giuseppe


Actions

This Discussion