Solved: static route ASA 5506-x firewall to L3 Switch

Hanif Saharudin · ‎03-26-2017

Dear Cisco Expert,

I unable to perform static routing inside ASA interface.

If I perform command "ip routing" on my L3 Switch, I've trouble to control the L3 switch InterVLAN.

(I don't want VLAN 100(OLEO) and VLAN 101(ESTER) talk each other, Only VLAN 102(PHD) can talk to Outside, VLAN 100(OLEO) and VLAN 101(ESTER)

My question is, this network design can be work ?.Or I need re-design and add another VLAN for Link to ASA?

Please help me on this.

Thanks.

Hanif

Dennis Mink · ‎03-27-2017

Hanif,

in that case do not put any SVI's on your switch with IP addresses (so under your interface vlan 100, 101 and 102 dont configure an ip address). Just run a trunk between the switch and the firewall and put each VLAN;s default gateway IP address on the inside interface of the ASA and apply your access lists on those interfaces.

so the only IP address on your switch is on so you can telnet to it, thats it.

Please rate if helpful

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Julio E. Moisa · ‎03-27-2017

Hi

As Dennis mentioned, you could use one only link between the Firewall an L3 switch, the gateways will be created on the firewall, it is also called intervlan routing, similar to routing in a stick scenario, this is an example:

Scenario

SWITCH -----trunk ---- Firewall

FIREWALL

interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif OLEO-VLAN
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/0.101
vlan 101
nameif ESTER-VLAN
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.102
vlan 102
nameif PHD
security-level 100
ip address 10.2.1.1 255.255.255.0

SWITCH

vlan 100

vlan 101

vlan 102

interface g1/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown

* You will only create the vlans on the switch, no SVIs there.

Every internal network with security level 100 in order to communicate only if you are allowing the access.

Please rate the comment if it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Dennis Mink · ‎03-27-2017

Hanif,

in that case do not put any SVI's on your switch with IP addresses (so under your interface vlan 100, 101 and 102 dont configure an ip address). Just run a trunk between the switch and the firewall and put each VLAN;s default gateway IP address on the inside interface of the ASA and apply your access lists on those interfaces.

so the only IP address on your switch is on so you can telnet to it, thats it.

Please rate if helpful

Please remember to rate useful posts, by clicking on the stars below.

Julio E. Moisa · ‎03-27-2017

Hi

As Dennis mentioned, you could use one only link between the Firewall an L3 switch, the gateways will be created on the firewall, it is also called intervlan routing, similar to routing in a stick scenario, this is an example:

Scenario

SWITCH -----trunk ---- Firewall

FIREWALL

interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif OLEO-VLAN
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/0.101
vlan 101
nameif ESTER-VLAN
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.102
vlan 102
nameif PHD
security-level 100
ip address 10.2.1.1 255.255.255.0

SWITCH

vlan 100

vlan 101

vlan 102

interface g1/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown

* You will only create the vlans on the switch, no SVIs there.

Every internal network with security level 100 in order to communicate only if you are allowing the access.

Please rate the comment if it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hanif Saharudin · ‎03-30-2017

Dear Julio,

Thanks a lot for your details explanations.

Now we setup the Layer 3 switch to ASA as trunks port.

Easy understand your explanations. =)

Thanks,

Hanif

Julio E. Moisa · ‎03-30-2017

It was a pleasure my friend.

Have a great day!

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hanif Saharudin · ‎03-30-2017

Dear Dennis,

Thanks for your suggestions.

Now understand the link from switch to ASA.

Thanks again =))

Regards,

Hanif