cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
913
Views
0
Helpful
6
Replies

ASA VLAN 1 connection to different VLAN

sadik.bash
Level 1
Level 1

Hi all,

I will be setting up a LAN(PCs and Laptops) at a customter's site. The customer offered to provide me with connections on their core switch on a separate VLAN. I will setup an Cisco ASA5505 on the edge connected to router. So, here is the toplogy:

     PC to Customer's Core Switch (VLAN125)

     ASA int E0/1 VLAN1 to Customer's Core Switch (VLAN125)

I would like to know if this configuration would work. Also, can I ping from the PC to the global int (E0/0 VLAN2) and LAN int of the router which has a public IP address?

Thanks,

sK

1 Accepted Solution

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

Sadik,

The topology isnt' clear. Pls. clarify.

Which is E0/0 vlan2?

PC--vlan125--swtich---vlan1--ASA-vlan2--Router--internet

You are asking if you can ping from the PC to the ASA's vlan2 interface? If so the answer is NO.

But you can ping from the PC to the Router's vlan2 interface.

The reason is you can only ping the closest interface to your client. You canno ping the far side interface of the firewall.

-KS

View solution in original post

6 Replies 6

Kureli Sankar
Cisco Employee
Cisco Employee

Sadik,

The topology isnt' clear. Pls. clarify.

Which is E0/0 vlan2?

PC--vlan125--swtich---vlan1--ASA-vlan2--Router--internet

You are asking if you can ping from the PC to the ASA's vlan2 interface? If so the answer is NO.

But you can ping from the PC to the Router's vlan2 interface.

The reason is you can only ping the closest interface to your client. You canno ping the far side interface of the firewall.

-KS

Sorry if I wasn't clear.

Here is the clarificaiton:

PC plugged into VLAN125 of customer's Switch

Inside Interface E0/1 (VLAN1) on the ASA plugged into the VLAN125 of customer's switch

Global Interface E0/0(VLAN2) on the ASA plugged into the router (FA0/0)

Router S0/0 connects to Internet

So, the question is if I ping the ASA Inside interface from the PC, would this work? And also, let's say PC IP is 172.16.2.100 and Inside ASA int E0/1 VLAN1 IP is 172.16.2.1.

Thanks in advance,

sK

As long as the switch can route between blan125 and vlan1 you should be able to ping from the pc to vlan 1(inside).

The ASA will not let you ping vlan2 though from the pc.

I hope it helps.

PK

Thanks for the repoly.

I am not sure if the customer would enable that; however, as a solution, should I create a matching VLAN, VLAN125, on the inside ASA interface so routing wouldn't required?

Thanks in adavance,

sK

sadik.bash wrote:

Sorry if I wasn't clear.

Here is the clarificaiton:

PC plugged into VLAN125 of customer's Switch

Inside Interface E0/1 (VLAN1) on the ASA plugged into the VLAN125 of customer's switch

Global Interface E0/0(VLAN2) on the ASA plugged into the router (FA0/0)

Router S0/0 connects to Internet

So, the question is if I ping the ASA Inside interface from the PC, would this work? And also, let's say PC IP is 172.16.2.100 and Inside ASA int E0/1 VLAN1 IP is 172.16.2.1.

Thanks in advance,

sK

sK

It's not clear what you mean when you say "Inside interface E0/1 (VLAN1) on ASA plugged into vlan 125 of customer switch"

If the interface is connected to a port on the switch that is configured to be in vlan 125 then the ASA interface is not in vlan 1 at all but vlan 125.

So as long as the PC and the ASA connect to ports configured as vlan 125 and the PC and ASA have an IP address from the same subnet then you will not need routing.

Jon

Thanks to all for your assistance.

SK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: