Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA VLAN Trunking - Firewalling - Routing issue

Let me start by defining the end goal: Utilize an active/active ASA to filter traffic on specific network segments (VLANs). There is a 3750 stack which is acting as the VTP master. I'm having trouble understanding how routing will work in this scenario. I've defined the IP addresses of my test VLAN on the ASA, set the gateway of my client to this IP. How should the routing on the ASA be defined? Should I setup a seperate VLAN just for routing? I'm very confused at this time about the proper configuration for my end goal.

Does there need to be an IP on the 3750 for each VLAN, or will this get routed through a default route?

New Member

Re: ASA VLAN Trunking - Firewalling - Routing issue

Here's some more information. I've simplified my config and I can't get Access-controls to work on VLAN 16. I have two VLANs defined on the ASA 16 and 80:

interface GigabitEthernet0/0

no nameif

no security-level

no ip address


interface GigabitEthernet0/0.16

description WAN VLAN Firewall

vlan 16

nameif WAN

security-level 50

ip address


interface GigabitEthernet0/0.80

description PROD-OPP Firewall Interface

vlan 80


security-level 75

ip address

My switch looks like this:interface GigabitEthernet1/0/12

description NO DESCRIPTION

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,80,255

switchport mode trunk

spanning-tree portfast

interface Vlan16

description WAN

ip address


interface Vlan64

description Office

ip address


interface Vlan80

description PROD-OPP VLAN

ip address

ip helper-address

I've set my gateway on the PC to (ASA IP). no matter what I do for ACLs, the ASA never shows any hits, if I do a sh conn, I see no established connections. I'm trying to connect back to devices in the 10.x.x.x network which the switch knows about. The system connects to them fine and if I do a traceroute it shows the IP as a hop which makes sense. But it seems it isn't using the ASA. Does anyone have any ideas on this?



New Member

Re: ASA VLAN Trunking - Firewalling - Routing issue

If you want traffic between vlan's 16 and 80 to go through the ASA, remove the ip addresses from the vlan interfaces 16 and 80 in the switch.

New Member

Re: ASA VLAN Trunking - Firewalling - Routing issue

Thanks - I see that, but I was having problems understanding how traffic would be routed back to the VLANs on the network that aren't configured on the sub-interfaces. The answer was to configure a dedicated interface connected to the 3750 switch stack for the purposes of routing only - no trunking. Trunking is handled through a seperate dedicated interface back to the switch stack. This configuration is currently working as expected. Thanks for the help.