Solved: Re: ASA V-Lan Conf - Page 2

ray_stone · ‎08-13-2008

Hi,

I have setup a new Cisco L3 Switch and create three different V-Lan.

1) V-lan 100 192.168.12.0/24 f0

2) V-lan 200 192.168.13.0/24 f1

3) V-lan 300 192.168.14.0/24 f2

F3 switch port is directly connected with ASA 5505 FW.

ASA Inside IP 192.168.10.2

Switch F3 IP 192.168.10.1

Now I want that all Vlan traffic request for internet to be go through ASA. Please suggest what type of config I will have to do?

JORGE RODRIGUEZ · ‎08-13-2008

Assuming you have already configure basic ASA inside interface with 192.168.10.2/24

1-Start with Layer 2 vlans on switch, and use VLAN1 for management on same segment as ASA inside interface

2-Create L3 SVI interfaces for earch Layer 2 VLAN you created

3-Enable routing on the switch

4-Configure ASA static routes to talk to 12,13,14 subnets via 192.168.10.1

5-Configure ASA for NATing your inside hosts in L3 switch for internet access

6-COnfigure ASA with same-security-traffic permit intra-interface

7-ALLOw any subnet from behind ASA access to ASA for telnet and/or http for management

vlan database

vlan 100 name 192.168.12.0/24

vlan 101 name 192.168.13.0/24

vlan 102 name 192.168.14.0/24

exit

verify vlans " show vlan"

Now Create SVIs

interface vlan 100

Description 12.0/24 subnet

IP address 192.168.12.1 255.255.255.0

no shutdown

interface vlan 101

Description 13.0/24 subnet

IP address 192.168.13.1 255.255.255.0

no shutdown

interface vlan 102

Description 14.0/24 subnet

IP address 192.168.14.1 255.255.255.0

no shutdown

Management Vlan1 in switch which also servers as L3 connection to ASA

interface vlan1

Description Management

ip address 192.168.10.1 255.255.255.0

no shutdown

Enable routing in switch and configure default route

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.10.2

Allocate switch port Fe0/48 to connect to ASA inside interface

interface fastethernet0/48

Description Connection to ASA_Ethernet1

speed 100

duplex full

no shutdown

test pinging from switch to asa inside interface - if ok proceed ..

ASA side configuration

route inside 192.168.12.0 255.255.255.0 192.168.10.1

route inside 192.168.13.0 255.255.255.0 192.168.10.1

route inside 192.168.14.0 255.255.255.0 192.168.10.1

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 192.168.13.0 255.255.255.0

nat (inside) 1 192.168.14.0 255.255.255.0

http server enable

http 192.168.12.0 255.255.255.0 inside

http 192.168.13.0 255.255.255.0 inside

http 192.168.14.0 255.255.255.0 inside

telnet 192.168.12.0 255.255.255.0 inside

telnet 192.168.13.0 255.255.255.0 inside

telnet 192.168.14.0 255.255.255.0 inside

route 0.0.0.0 0.0.0.0 ISP_NetHop_Router_IP 1

/////////////////////

Now for real test, you need to place in switches PC hosts for the SVI interfaces to come up

Rememner that PCs default gateway will be the IP of the SVI interfaces.

Interface fastethernet0/1

Description PC1_192.168.12.40/24

switchport access vlan 100

no shutdown

Interface fastethernet0/2

Description PC1_192.168.13.40/24

switchport access vlan 101

no shutdown

from PC in subnet 100 ping its default gateway at 192.168.12.1

From PC in subnet 101 ping its default gatewat at 192.168.13.1

From PC in subnet 100 ping PC in subnet 101

From PC in subnet 100 ping asa Inside interface at 192.168.10.2

from PCs connect to internet

Did I missed anything?

Jorge Rodriguez

ray_stone · ‎08-13-2008

Hi, Thanks for your reply.

What is the use of this command.."same-security-traffic permit intra-interface" As I understand this command is to enable the V-lan's communication which is configured on Switch.

Here, I want to configure the Inter-V-Lan routing on L3 switch instead of ASA. Is it required and static commands or routing protocols like RIP, OSPF and etc. Please advice.

JORGE RODRIGUEZ · ‎08-13-2008

if you place any other hosts on 192.168.10.0/24 subnet beside the switch vlan1 192.168.10.1 and asa inside interface 192.168.10.2 you need this command in asa for traffic from 12,13,14 subnets to talk to hosts on the 10 subnet go out the same interface it came. Omit the command otherwise!

same-security-traffic permit intra-interface.

Jorge Rodriguez

ray_stone · ‎08-13-2008

And what about V-Lan communication? How will it be configured on L3 Switch?

JORGE RODRIGUEZ · ‎08-13-2008

Inter VLAN communication will be handle by the L3 switch and its routing function within.

Jorge Rodriguez

ray_stone · ‎08-13-2008

Is it not required any configuration on L3 Switch to talk with each other among V-lans?

JORGE RODRIGUEZ · ‎08-13-2008

No because internal routing is enabled on the switch, they will talk to each other fine.

Jorge Rodriguez

ray_stone · ‎08-13-2008

If I want to allow only one V-lan communicate with other V-lans then is it required access-list?

ray_stone · ‎08-13-2008

Last Question :- Can you please explain about following command in more details.

same-security-traffic permit intra-interface

JORGE RODRIGUEZ · ‎08-13-2008

This command is handly for many purposes in the ASA, one purpose is the one I previously mentioned, another purpose is full RA tunnels and internet access via your ASA firewall go out the same interface the RA connections come in. It does not hurt to have this command already configured in the firewa..

Jorge Rodriguez

JORGE RODRIGUEZ · ‎08-13-2008

Yes, ACLs will be required in the L3 switch if you want to control traffic between the subnets.

Jorge Rodriguez

ray_stone · ‎08-13-2008

Last Question :- Can you please explain about following command in more details.

same-security-traffic permit intra-interface

JORGE RODRIGUEZ · ‎08-13-2008

Here is a good visual example of same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#t3

Jorge Rodriguez

ray_stone · ‎08-13-2008

Thanks everyone for your prompt response specially Jorgemcse. Thank you so much.. Have a nice day :)

Marwan ALshawi · ‎08-13-2008

i guess from the rating the config i have given didnt work with u ?

anyway

hope i was helpful