FIREWALL VLANS-HOW DOES IT WORK

Unanswered Question
Aug 7th, 2009

Hi

I have ASA 5540 whose Gig2 interface is subinterfaced into 3-vlans 40,50,60.Do I need to trunk the port(cable is coming from ASA Gig2 interface) on the switch and create VLANS 40,50 and 60 on the switch in order to get the hosts in these vlans working ? Do I have to do anything to Gig2 interface ?Please see config below

______________________________________

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.40

vlan 40

nameif DMZ-Public

security-level 40

ip address 10.32.240.1 255.255.255.0 standby 10.32.240.2

!

interface GigabitEthernet0/2.50

vlan 50

nameif DMZ-2

security-level 50

ip address 10.32.241.1 255.255.255.0 standby 10.32.241.2

!

interface GigabitEthernet0/2.60

vlan 60

nameif DMZ-3

security-level 60

ip address 10.32.242.1 255.255.255.0 standby 10.32.242.2

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Fri, 08/07/2009 - 07:27

your config on the ASA looks fine..on the switch, you will need to trunk the port using dot1q, and you will need to create those vlans - 40,50,60 - and allow them on the trunk port of the switch.

CCDECCDE9 Mon, 08/10/2009 - 08:04

these VLANS on the swith need to have same subnet as firewall VLAN interfaces ?

in this case

on switch :

Interface VLAN 40

ip address 10.32.240.3

Interface VLAN 50

ip address 10.32.241.3

Interface VLAN 60

ip address 10.32.242.3

JORGE RODRIGUEZ Tue, 08/11/2009 - 08:38

You don't need to create L3 vlans in the switch as you already have the firewall as a layer 3 device for those network. You just simply need to do what Steven indicated in his post.

Create the vlans in the switch

exmaple:

switch

WS1(config)vlan database

WS1(vlan)#vlan 40 name 10.32.240.0/24_net

WS1(vlan)#vlan 50 name 10.32.241.0/24_net

WS1(vlan)# vlan 60 name 10.32.242.0/24_net

then create dot1q trunk on the physical port in the switch that connects to the forewall..

SW1(config)#interface fe0/xx

SW1(config)#Description Connection to ASA

SW1(config)#switchport mode trunk

SW1(config)#switchport trunk encapsulation dot1q

SW1(config)#switchport trunk allowed vlan 40,50,60 etc..

then assign ports to respective vlans for hosts in the switch..

Regards

Actions

This Discussion