Connecting ASA 5505 to Layer 2 Switch on VLan

Answered Question
Mar 5th, 2010

Hi


I really need someones help with this I am a bit stumped.


We recently purchased a new internet link. The ISP has provided their own equipment which we dont have access to.


On this equipment they have created two Vlans. One for internet traffic and one for an extended WAN to another location.  The internet link is on VLan 183 on their equipment.


The advised me to connected a Layer 2 Switch directly to the port they had configured VLan 183 on. On the switch I created my own VLan also called 183, trunked it and added a few local switch ports to this Vlan. If I connect my laptop into one of the ports assigned to my Vlan and set my laptops IP to the static information provided by the ISP I can surf the net.


I now need to hook my ASA up to this switch. I need my outside interface to point to the following

ip - 77.75.100.194

mask 255.255.255.252

gateway 77.75.100.193


My inside interface to

10.255.251.211

255.255.0.0


I need all traffic on the 10.255.0.0 network to be able to use this new internet link


I suppose Im just really confused about how I link the ASA up with the Vlan'd switch.


In the past I have always hooked the ASA up direct to whatever router was provided but the VLAN in the middle is confusing me. Also I have only ever used 5510's and the 5505 seems slightly different.


If someone could point me in the right direction I would really appreciate it!


Thank you!!

Correct Answer by Kureli Sankar about 6 years 11 months ago

Seems like you need to configured vlan 183 and move the config from vlan2 to vlan183.


interface Vlan183
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 183


Pls. double check the trunk config and the vlan and see which one it is supposed to be.


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Fri, 03/05/2010 - 09:03

I can certainly understand the confusion when it comes to ASA5505 and vlans.  Once you do it once, you will realize how easy it is.


Here is a link with a sample config: http://ezinearticles.com/?Basic-Configuration-Tutorial-For-the-Cisco-ASA-5505-Firewall&id=1681858


You create a layer 3 interface for outside vlan

you create a layer 3 interface for inside vlan

configure one port on outside vlan

configure other ports on inside vlan (by default it will be in vlan1)


now, it is just like a asa5510. The nameif and security lines go under the "int vlan" section.


-KS

drikilbride Fri, 03/05/2010 - 09:07

You are a life saver! I'll give that a try Monday when I'm back in the office!


Thanks again for your help!

drikilbride Mon, 03/08/2010 - 04:23

Hi


I have tried that but am still not able to get out onto the internet.


I am going to post my configs for both the ASA 5505 and my Cisco 2950 Switch.


Maybe someone could spot what I have missed?


Thanks in advance!!!

Kureli Sankar Mon, 03/08/2010 - 06:43

The config looks correct.

Are you able to ping xx.xx.xx.xx ?

interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252


route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1


Are you able to ping xx.xx.xx.xx??

I hope ip address in vlan2 and the default route are not the same IP address.


Ping the outside default gw from the firewall and collect captures and see what they say.


cap capout int outside match icmp any any

sh cap capout


check the logs as well

conf t

logging on

logging buffered 7


sh logg | i x.x.x.x


where x.x.x.x is the host that is try to go to the internet.


-KS

drikilbride Mon, 03/08/2010 - 08:45

Hi


I can ping the following


VLAN2

IP Address xx.xx.xx.xx 255.255.255.252


I can't ping the default gateway route outside 0.0.0.0 0.0.0.0 x.x.x.x 1


The IP Address used in VLAN2 and the default gateway are different, both provided by the ISP.


The thing is, if I hook my laptop up direct to the Switch and statically assign it the IP, Gateway and DNS from ISP I have full internet access. There just seems to be an issue with the ASA and the trunked 802.1q switch port. (which works fine with the laptop)


I have attached the log from when I pinged the VLAN2 address from the firewall.


Thanks again!

Correct Answer
Kureli Sankar Mon, 03/08/2010 - 10:27

Seems like you need to configured vlan 183 and move the config from vlan2 to vlan183.


interface Vlan183
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 183


Pls. double check the trunk config and the vlan and see which one it is supposed to be.


-KS

drikilbride Tue, 03/09/2010 - 03:23

Its working!!!


Thanks a mil for all your help.


Changing the VLAN to VLAN 183 did the trick!

Actions

This Discussion

Related Content