Let me start by defining the end goal: Utilize an active/active ASA to filter traffic on specific network segments (VLANs). There is a 3750 stack which is acting as the VTP master. I'm having trouble understanding how routing will work in this scenario. I've defined the IP addresses of my test VLAN on the ASA, set the gateway of my client to this IP. How should the routing on the ASA be defined? Should I setup a seperate VLAN just for routing? I'm very confused at this time about the proper configuration for my end goal.
Does there need to be an IP on the 3750 for each VLAN, or will this get routed through a default route?
Here's some more information. I've simplified my config and I can't get Access-controls to work on VLAN 16. I have two VLANs defined on the ASA 16 and 80:
no ip address
description WAN VLAN Firewall
ip address 172.25.0.254 255.255.240.0
description PROD-OPP Firewall Interface
ip address 172.25.80.254 255.255.240.0
My switch looks like this:interface GigabitEthernet1/0/12
description NO DESCRIPTION
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,80,255
switchport mode trunk
ip address 172.25.0.200 255.255.240.0
ip address 172.25.64.1 255.255.240.0
description PROD-OPP VLAN
ip address 172.25.80.1 255.255.240.0
ip helper-address 10.1.5.153
I've set my gateway on the PC to 172.25.0.254 (ASA IP). no matter what I do for ACLs, the ASA never shows any hits, if I do a sh conn, I see no established connections. I'm trying to connect back to devices in the 10.x.x.x network which the switch knows about. The system connects to them fine and if I do a traceroute it shows the 172.25.0.200 IP as a hop which makes sense. But it seems it isn't using the ASA. Does anyone have any ideas on this?
Thanks - I see that, but I was having problems understanding how traffic would be routed back to the VLANs on the network that aren't configured on the sub-interfaces. The answer was to configure a dedicated interface connected to the 3750 switch stack for the purposes of routing only - no trunking. Trunking is handled through a seperate dedicated interface back to the switch stack. This configuration is currently working as expected. Thanks for the help.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...