Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13669
Views
5
Helpful
7
Replies

Connecting ASA 5505 to Layer 2 Switch on VLan

Go to solution
drikilbride
Level 1
Level 1

‎03-05-2010 08:41 AM - edited ‎03-11-2019 10:18 AM

Hi

I really need someones help with this I am a bit stumped.

We recently purchased a new internet link. The ISP has provided their own equipment which we dont have access to.

On this equipment they have created two Vlans. One for internet traffic and one for an extended WAN to another location.  The internet link is on VLan 183 on their equipment.

The advised me to connected a Layer 2 Switch directly to the port they had configured VLan 183 on. On the switch I created my own VLan also called 183, trunked it and added a few local switch ports to this Vlan. If I connect my laptop into one of the ports assigned to my Vlan and set my laptops IP to the static information provided by the ISP I can surf the net.

I now need to hook my ASA up to this switch. I need my outside interface to point to the following

ip - 77.75.100.194

mask 255.255.255.252

gateway 77.75.100.193

My inside interface to

10.255.251.211

255.255.0.0

I need all traffic on the 10.255.0.0 network to be able to use this new internet link

I suppose Im just really confused about how I link the ASA up with the Vlan'd switch.

In the past I have always hooked the ASA up direct to whatever router was provided but the VLAN in the middle is confusing me. Also I have only ever used 5510's and the 5505 seems slightly different.

If someone could point me in the right direction I would really appreciate it!

Thank you!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to drikilbride

‎03-08-2010 10:27 AM

Seems like you need to configured vlan 183 and move the config from vlan2 to vlan183.

interface Vlan183
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 183

Pls. double check the trunk config and the vlan and see which one it is supposed to be.

-KS

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎03-05-2010 09:03 AM

I can certainly understand the confusion when it comes to ASA5505 and vlans.  Once you do it once, you will realize how easy it is.

Here is a link with a sample config: http://ezinearticles.com/?Basic-Configuration-Tutorial-For-the-Cisco-ASA-5505-Firewall&id=1681858

You create a layer 3 interface for outside vlan

you create a layer 3 interface for inside vlan

configure one port on outside vlan

configure other ports on inside vlan (by default it will be in vlan1)

now, it is just like a asa5510. The nameif and security lines go under the "int vlan" section.

-KS

Go to solution
drikilbride
Level 1
Level 1
In response to Kureli Sankar

‎03-05-2010 09:07 AM

You are a life saver! I'll give that a try Monday when I'm back in the office!

Thanks again for your help!

0 Helpful

Go to solution
drikilbride
Level 1
Level 1
In response to Kureli Sankar

‎03-08-2010 04:23 AM

Hi

I have tried that but am still not able to get out onto the internet.

I am going to post my configs for both the ASA 5505 and my Cisco 2950 Switch.

Maybe someone could spot what I have missed?

Thanks in advance!!!

61886-Switch Up to Date.txt.zip
0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to drikilbride

‎03-08-2010 06:43 AM

The config looks correct.

Are you able to ping xx.xx.xx.xx ?

interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

Are you able to ping xx.xx.xx.xx??

I hope ip address in vlan2 and the default route are not the same IP address.

Ping the outside default gw from the firewall and collect captures and see what they say.

cap capout int outside match icmp any any

sh cap capout

check the logs as well

conf t

logging on

logging buffered 7

sh logg | i x.x.x.x

where x.x.x.x is the host that is try to go to the internet.

-KS

0 Helpful

Go to solution
drikilbride
Level 1
Level 1
In response to Kureli Sankar

‎03-08-2010 08:45 AM

Hi

I can ping the following

VLAN2

IP Address xx.xx.xx.xx 255.255.255.252

I can't ping the default gateway route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

The IP Address used in VLAN2 and the default gateway are different, both provided by the ISP.

The thing is, if I hook my laptop up direct to the Switch and statically assign it the IP, Gateway and DNS from ISP I have full internet access. There just seems to be an issue with the ASA and the trunked 802.1q switch port. (which works fine with the laptop)

I have attached the log from when I pinged the VLAN2 address from the firewall.

Thanks again!

61913-PING LOG.txt.zip
0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to drikilbride

‎03-08-2010 10:27 AM

Seems like you need to configured vlan 183 and move the config from vlan2 to vlan183.

interface Vlan183
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 183

Pls. double check the trunk config and the vlan and see which one it is supposed to be.

-KS

0 Helpful

Go to solution
drikilbride
Level 1
Level 1
In response to Kureli Sankar

‎03-09-2010 03:23 AM

Its working!!!

Thanks a mil for all your help.

Changing the VLAN to VLAN 183 did the trick!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card