ASA VLAN 1 connection to different VLAN

Answered Question
Dec 3rd, 2009
User Badges:

Hi all,


I will be setting up a LAN(PCs and Laptops) at a customter's site. The customer offered to provide me with connections on their core switch on a separate VLAN. I will setup an Cisco ASA5505 on the edge connected to router. So, here is the toplogy:


     PC to Customer's Core Switch (VLAN125)

     ASA int E0/1 VLAN1 to Customer's Core Switch (VLAN125)


I would like to know if this configuration would work. Also, can I ping from the PC to the global int (E0/0 VLAN2) and LAN int of the router which has a public IP address?


Thanks,

sK

Correct Answer by Kureli Sankar about 7 years 6 months ago

Sadik,

The topology isnt' clear. Pls. clarify.


Which is E0/0 vlan2?


PC--vlan125--swtich---vlan1--ASA-vlan2--Router--internet


You are asking if you can ping from the PC to the ASA's vlan2 interface? If so the answer is NO.

But you can ping from the PC to the Router's vlan2 interface.


The reason is you can only ping the closest interface to your client. You canno ping the far side interface of the firewall.


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kureli Sankar Thu, 12/03/2009 - 13:03
User Badges:
  • Cisco Employee,

Sadik,

The topology isnt' clear. Pls. clarify.


Which is E0/0 vlan2?


PC--vlan125--swtich---vlan1--ASA-vlan2--Router--internet


You are asking if you can ping from the PC to the ASA's vlan2 interface? If so the answer is NO.

But you can ping from the PC to the Router's vlan2 interface.


The reason is you can only ping the closest interface to your client. You canno ping the far side interface of the firewall.


-KS

sadik.bash Thu, 12/03/2009 - 13:45
User Badges:

Sorry if I wasn't clear.


Here is the clarificaiton:


PC plugged into VLAN125 of customer's Switch

Inside Interface E0/1 (VLAN1) on the ASA plugged into the VLAN125 of customer's switch

Global Interface E0/0(VLAN2) on the ASA plugged into the router (FA0/0)

Router S0/0 connects to Internet


So, the question is if I ping the ASA Inside interface from the PC, would this work? And also, let's say PC IP is 172.16.2.100 and Inside ASA int E0/1 VLAN1 IP is 172.16.2.1.


Thanks in advance,

sK

Panos Kampanakis Thu, 12/03/2009 - 14:39
User Badges:
  • Cisco Employee,

As long as the switch can route between blan125 and vlan1 you should be able to ping from the pc to vlan 1(inside).

The ASA will not let you ping vlan2 though from the pc.


I hope it helps.


PK

sadik.bash Thu, 12/03/2009 - 15:15
User Badges:

Thanks for the repoly.


I am not sure if the customer would enable that; however, as a solution, should I create a matching VLAN, VLAN125, on the inside ASA interface so routing wouldn't required?


Thanks in adavance,

sK

Jon Marshall Thu, 12/03/2009 - 15:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sadik.bash wrote:


Sorry if I wasn't clear.


Here is the clarificaiton:


PC plugged into VLAN125 of customer's Switch

Inside Interface E0/1 (VLAN1) on the ASA plugged into the VLAN125 of customer's switch

Global Interface E0/0(VLAN2) on the ASA plugged into the router (FA0/0)

Router S0/0 connects to Internet


So, the question is if I ping the ASA Inside interface from the PC, would this work? And also, let's say PC IP is 172.16.2.100 and Inside ASA int E0/1 VLAN1 IP is 172.16.2.1.


Thanks in advance,

sK

sK


It's not clear what you mean when you say "Inside interface E0/1 (VLAN1) on ASA plugged into vlan 125 of customer switch"


If the interface is connected to a port on the switch that is configured to be in vlan 125 then the ASA interface is not in vlan 1 at all but vlan 125.


So as long as the PC and the ASA connect to ports configured as vlan 125 and the PC and ASA have an IP address from the same subnet then you will not need routing.


Jon

Actions

This Discussion