Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
3
Replies

FIREWALL VLANS-HOW DOES IT WORK

CCDECCDE9
Level 1
Level 1

‎08-07-2009 07:06 AM - edited ‎03-11-2019 09:03 AM

Hi

I have ASA 5540 whose Gig2 interface is subinterfaced into 3-vlans 40,50,60.Do I need to trunk the port(cable is coming from ASA Gig2 interface) on the switch and create VLANS 40,50 and 60 on the switch in order to get the hosts in these vlans working ? Do I have to do anything to Gig2 interface ?Please see config below

______________________________________

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.40

vlan 40

nameif DMZ-Public

security-level 40

ip address 10.32.240.1 255.255.255.0 standby 10.32.240.2

!

interface GigabitEthernet0/2.50

vlan 50

nameif DMZ-2

security-level 50

ip address 10.32.241.1 255.255.255.0 standby 10.32.241.2

!

interface GigabitEthernet0/2.60

vlan 60

nameif DMZ-3

security-level 60

ip address 10.32.242.1 255.255.255.0 standby 10.32.242.2

Labels:
0 Helpful
3 Replies 3

srue
Level 7
Level 7

‎08-07-2009 07:27 AM

your config on the ASA looks fine..on the switch, you will need to trunk the port using dot1q, and you will need to create those vlans - 40,50,60 - and allow them on the trunk port of the switch.

0 Helpful

CCDECCDE9
Level 1
Level 1
In response to srue

‎08-10-2009 08:04 AM

these VLANS on the swith need to have same subnet as firewall VLAN interfaces ?

in this case

on switch :

Interface VLAN 40

ip address 10.32.240.3

Interface VLAN 50

ip address 10.32.241.3

Interface VLAN 60

ip address 10.32.242.3

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to CCDECCDE9

‎08-11-2009 08:38 AM

You don't need to create L3 vlans in the switch as you already have the firewall as a layer 3 device for those network. You just simply need to do what Steven indicated in his post.

Create the vlans in the switch

exmaple:

switch

WS1(config)vlan database

WS1(vlan)#vlan 40 name 10.32.240.0/24_net

WS1(vlan)#vlan 50 name 10.32.241.0/24_net

WS1(vlan)# vlan 60 name 10.32.242.0/24_net

then create dot1q trunk on the physical port in the switch that connects to the forewall..

SW1(config)#interface fe0/xx

SW1(config)#Description Connection to ASA

SW1(config)#switchport mode trunk

SW1(config)#switchport trunk encapsulation dot1q

SW1(config)#switchport trunk allowed vlan 40,50,60 etc..

then assign ports to respective vlans for hosts in the switch..

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card