cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
5
Replies

LAN issues whenever ASA 5580-40 FW is connected to VLAN ports

o.oresotu
Level 1
Level 1

Hi,

I was trying to segment my internal server networks with Cisco ASA 5580-40 FW. The different servers were segmented into different vlans and works fine without the FW. However, whenever the FW DMZs are connected to ports associated to the different vlans some servers on same LAN stops communicating at Application level. When all the other vlans are shutdown leaving only the vlans where servers that are having issues resides, everything resumes work normally.

Don't know what issues are with the LAN. Could someone advise what could be going on here?

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Olensegun,

you may want to post this in the security/firewalling forum where you can get better help.

My first impression is that you can face a license limits issue because you say that :

>> When all the other vlans are shutdown leaving only the vlans where servers that are having issues resides, everything resumes work normally.

Or there is some form of conflict in the configuration

Hope to help

Giuseppe

Hi guisiar,

Thanks. I strongly feels it's a LAN issues. Traffic were not initially passing through the FW. The firewall DMZ were connected to the respective Vlan of the servers in the various subnets. Could this stop server comminatyion at application level?

Hello Olusegun,

it is diffcult to say something without more details.

the ASA being a FW can be blocking some servers/subnets or for a configuration issue or for some limitations (like the max number of vlans on the trunk if the link to the ASA is a L2 trunk)

Hope to help

Giuseppe

Hi giustar,

Thank you for your response. I actually have some of the interfaces of the FW DMZ configured as sub-interfaces (whc is L2) while the corresponding port it is connecting to on the switch is a trunk port carrying all Vlans. Do you think configuring vlan pruning on the switch will help?

Hello Olusegun,

I don't think this can solve but it helps.

However, defining on the switch side the set of allowed vlans with

switchport trunk allowed vlan

is something that makes the scenario more clean.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco